Client Portal - Security concerns

We just activated the Client Portal and were going to put the portal sign in link on our website.  
CAUTION:  ANYONE can click on the link and create a portal even if they ARE NOT in our system and we have NEVER sent them anything.   They would then have ability to  upload documents using exchange.   This could be a huge SECURITY issue if a hacker knows this and tries to emulate a client and upload a document they want us to open that has damaging contents.   

There is also no way to see a list of people that have created the portal or be able to delete or remove portals.   This is also very concerning.  

The suggestion is to only allow individuals who are in our system (we have sent them returns, signatures, or used exchange) with their email address.   If the email is not in our system, it goes into an area that needs to be approved before the portal can be created.  

Also be able to view list of portal accounts and manage that list including deleting the portal access.  

The other security concern I have is the use of just a 6 digit PIN instead of secure passwords.  This doesn't seem like it would meet Thomson Reuters security smell test for access to income tax information.

Rethinking using the portals unless someone can quell my security concerns.