How do you know if your developer left a "backdoor" in a PHP website?

There are a few possible ways to inject a backdoor and to prevent malicious use as well. Here you go:

1. cPanel / SSH access - you can take over control of the server access and change all passwords. Also remove all extra users

2. Login bypass : it is possible that your developer built a bypass login so he/she could use a "universal password" and log in to any user's account. This can only be verified through reviewing the code. Alternatively they may have used some hash for the password that's easy to hack into.

3. DB Access : they may have phpMyAdmin installed, or may be able to connect via terminal to your database directly. To avoid this, change all MySQL passwords and delete unnecessary users.

Best way is to give the site out to audit by a trusted person. Once you've had the code reviewed you can then proceed to change all credentials etc.