Hope someone can help I had some work done by a freelance Magento expert and by no way I am saying he has done everything wrong but just want to secure my site down, he did some work 2-3 months ago after the work was finished I changed the passwords to both my server and Magento back-end I also changed the URL to the Magento back-end login. I then needed some more work done a few days ago he emailed me saying that the password had changed so he changed the password to Magento and also the URL back-end login. I was a bit shocked that he could do this without knowing the new password to the Magento back-end. Could anyone tell me how to lock down the site so this type of thing is not possible?
You should always be careful about your Magento security. It's better to create admin roles and give them access to only those parts of your site which are needed to complete their work.
Additionally, you can use a 2-factor authentication to secure your store login even better.
You can have a look at this extension https://amasty.com/magento-security-suite.html which combines all needed security modules such as Advanced Permissions, 2-Factor Authentication I've mentioned above, Backup and Admin Actions Log. Each of them can also be bought separately.
Important step in securing you Magento is to be aware and stay on top of anything that is going on inside your files.
Furthermore, you can protect access points to your Magento backend (Admin Panel Login and Magento Connect Manager) easily from backend and without losing functionality. And it also comes with a built-in Two factor Authentication, which adds another step to login process, so you can prevent unauthorized access even if attacker somehow gets a hold of your password.
It also has a checklist feature that will give you a quick insight in all important issues regarding security of your Magento.
Bottom line, it is like a surveillance system for your online store: nothing can go down, without you knowing it. I suggest you take a look at it, because it is a pretty good security solution that doesn't allow things like changing your files or any kind of hack attacks slip under the radar. http://www.extensionsmall.com/mage-fence-security.html
Following basic steps may also be helpful
1)keep note of all the credentials which you share with the developer. Like mysql, ftp,sftp,php myadmin, purchased extensions accounts, cPanel etc.
Always share only the necessary credentials.once work is complete change the credentials.
2) Do not give root user access until it is required.
3) keep your admin access IP restricted. (Use static IP)
Temporarily whitelist the developer IP.
4)create a user and role with access to required sections of admin panel.
5)try to use version control instead of giving direct access to the ftp or sftp. It will be easier for you to see what code has been changed.
There one thing you should know -- once someone has access to webstore file system he can run a script to generate new user. On change password. It's also possible to play around with database and whatnot. Having access to file system is kind of master key to everything.
Developers like me have sometimes dozens of site to take care of. It's annoying as hell to remember every password on every system, even when using LastPass or some equivalent (not really suitable for ssh passwords). Some people use same password for every site (security risk) or something based on server (another security risk), but it's much safer to use ssh keys. This approach replaces password altogether and everyone worth their salt uses this approach instead. I'm pretty sure that even though you changed server passwords, you didn't change his keys so he was able to log in anyway.