Starting a service immediately after installation is mostly a convenience
decision Debian and derivative distros have made. 

This issue would be best brought to the attention of webhttrack's package
maintainer, not the developer. Never the less, I wonder if the default config
could be changed so that the service is only served on the loopback interface
until explicitly changed by the operator. 

Further advise for anyone running Debian and derivatives would be to have a
firewall in place so services aren't immediately available like in this
scenario.