Generally, as others said, the best protection is NOT to connect your site to anything but the site run by Tesla. I'd include mobile apps in addition to websites but especially with websites.
That may sound odd as I made one to do just that but some people want the convenience.
Anyway, the site does not log or preserve the Tesla account password. All access to the site is via a high-grade SSL certificate (encrypted traffic). Once the site authenticates with Tesla it gets a token which is used to access the car API for all future accesses until you disconnect it. Once disconnected the token is discarded and you'd have to log in again.
The site itself is at a high-grade provider locked down with certificate only-access etc. I've developed enterprise-grade software for the FBI, CIA, NSA and others in the past and have gone through their rounds of requirements and testing. I did have a bigger team back then but very similar principles apply
If you're concerned, don't connect your car.
Since we're on the topic I REALLY wish Tesla would officially publish an API then let the owners restrict apps abilities to what they can/can't do. All EVTripping is doing is fetching daily mileage information. It does not need or want access to open your sunroof, start your car, etc. But with the current unofficial API, it's all or nothing which is a terrible security model.