Leaving backdoors is vicious, if I were a client, I would beat for this) It ’s
better to solve such problems by paying in installments, for example 40 + 30 + 30, then the maximum you will get is 30% of the money
Now I have gone freelancing, I break the work into iterations, for example, a week, at the end of each I show what I have done and try to convince customers to pay for iterations. It is often easier for them to go ahead for the most part, but this approach allows me to better discipline myself, and the client is not "lost" in the course of work (in the sense of being in touch and you can always make sure that the expected result matches what I show him).
I think it's a good approach.

And don't be stupid yourself.
I use this rule.
For 6 years of practice there was 1 one case due to inexperience. And then the man returned the money.

If you don’t want to work in stages and on a prepaid basis, then show the project on your virtual machine without the customer’s access to the project files, transfer the files only after payment, and let him sit testing on your virtual machine, this also eliminates problems with a crookedly configured server from the customer’s side.

By the way, if you have ssh access, you can add your key to authorized_keys. Usually such scammers just change the password, and they don’t think of looking at the keys :)

For example, I take an advance payment when there is something to show and the main part before transferring files

I got to such a site once ((I paid for one project, and started to cheat and ignore it for the second)) as a result, I changed the password in the admin panel, which he had to roll back several backups back)) as a result of which his site began to look like on the initial stages of development)) here is such a small revenge)) at least it warms the soul a little

So to speak.
Decent customers EXTREMELY dislike backdoors. But with decent clients, payment is transparent, stage by stage.
In your case, it's really your own fault that you foresaw such a development option. You can protect yourself from throwing in different ways, but backdoors are already an aggressive option, it is better to do without it.
Because the backdoor at the start is useless. If the customer has the source code and the base, any scammer will usually guess to make a backup before installing it on the site - that is, for the backdoor to work, it must be available already in production and after some time, otherwise there is no damage. And if the customer is normal, and he has a backdoor in production, which you suddenly climb to remove in a week, he will doubt that it makes sense to deal with you in the future. You never know what else you can steal through the backdoor.
In general, protect yourself in advance and by "peaceful" methods.

I never transfer a site to a customer's hosting before payment (unless it's an hourly deal or a trusted partner). Safety script - cool, fun, but colleagues perfectly described the consequences)

I would write a self-destruct script (complete auto-demolition of the engine and base if not deactivated).
For don't breed

The practice exists - people leave themselves backdoors for every fireman.
But if the customer pays carefully and behaves adequately, and then accidentally finds a backdoor that was not sawn in time, then it will turn out very badly - you can lose the customer and reputation, then you have to prove on the forums "I'm mechanically" (c).
Therefore, it is better to take an advance payment or hourly through escrow. Yes, there is a risk, especially for front-enders who write client-side code for which all sources are visible, but it's better this way.