You're right to be concerned about setting read/write to everyone. This is a huge security risk.
The wheel group is the BSD group that can access the sudo command, as OSX is fully BSD compliant. See here. So a user in the wheel group can access root and call commands requiring root privileges.
I suggest you read up on BSD permissions. They're really not that difficult to understand.
For OSX, by default, there is no actual root account for logging in. Users are either members of the Standard User group or the Admin group.
By stating that you're using the 'built in web server' I'm going to assume that you mean Apache, but correct me if I'm wrong. With this assumption, you can run the following command in terminal to see who the user is that Apache is running as: -
ps aux | grep -v grep | grep apache
From that, you should be able to start setting privileges to the user of the webserver and not everyone.