ok..
1) setting a password on grub or bios won't let you update/reconfigure your server if you're not onsite
2) AFAIK even if "rhgb" and "quiet" are default values in grub config for SME9, they "don't work", meaning that according to this
site (for example) the verbose boot should be available removing those params.. anyway, even if you set up your grub to be less verbose, hitting Esc should give you again the possibility to see what's going on
3) IMO, security by obscurity doesn't work.. yus be sure your server is updated, your passwords are strong, your webapp (WP, Joomla ecc, if any) are updated too
and, finally.. such measures are intended to "protect" your server from people standing in front of it.. BTW, if someone has phisical access to your server, nothing will work