Hello @paulpsp

You should always be careful about your Magento security. It's better to create admin roles and give them access to only those parts of your site which are needed to complete their work.

Additionally, you can use a 2-factor authentication to secure your store login even better.

You can have a look at this extension https://amasty.com/magento-security-suite.html which combines all needed security modules such as Advanced Permissions, 2-Factor Authentication I've mentioned above, Backup and Admin Actions Log. Each of them can also be bought separately.

Important step in securing you Magento is to be aware and stay on top of anything that is going on inside your files.

Security module MageFence offers a number of great monitoring features for your Magento:

• you get email notification every time a user with admin privileges logs in
• you can see all the changes made by admin users in Admin Activity log
• the module scans for changes on regular basis and notifies you every time the change in your files is found
• it also gives you a list of all changed files so you can confirm the changes you have made yourself and pinpoint the suspicious ones
• it detects users with admin privileges that are created by injecting directly into database, and notifies you immediately

Furthermore, you can protect access points to your Magento backend (Admin Panel Login and Magento Connect Manager) easily from backend and without losing functionality. And it also comes with a built-in Two factor Authentication, which adds another step to login process, so you can prevent unauthorized access even if attacker somehow gets a hold of your password.

It also has a checklist feature that will give you a quick insight in all important issues regarding security of your Magento.

Bottom line, it is like a surveillance system for your online store: nothing can go down, without you knowing it. I suggest you take a look at it, because it is a pretty good security solution that doesn't allow things like changing your files or any kind of hack attacks slip under the radar. http://www.extensionsmall.com/mage-fence-security.html

Hi @paulpsp

Following basic steps may also be helpful

1)keep note of all the credentials which you share with the developer. Like mysql, ftp,sftp,php myadmin, purchased extensions accounts, cPanel etc.

Always share only the necessary credentials.once work is complete change the credentials.

2) Do not give root user access until it is required.

3) keep your admin access IP restricted. (Use static IP)

Temporarily whitelist the developer IP.

4)create a user and role with access to required sections of admin panel.

5)try to use version control instead of giving direct access to the ftp or sftp. It will be easier for you to see what code has been changed.

There one thing you should know -- once someone has access to webstore file system he can run a script to generate new user. On change password. It's also possible to play around with database and whatnot. Having access to file system is kind of master key to everything.

Developers like me have sometimes dozens of site to take care of. It's annoying as hell to remember every password on every system, even when using LastPass or some equivalent (not really suitable for ssh passwords). Some people use same password for every site (security risk) or something based on server (another security risk), but it's much safer to use ssh keys. This approach replaces password altogether and everyone worth their salt uses this approach instead. I'm pretty sure that even though you changed server passwords, you didn't change his keys so he was able to log in anyway.