Yes, there can be 1 line of code that can fucking demolish the entire site or give full access to an attacker.
If you are friends with php, then open each file and check, you can automate a superficial search, but then there will be no 99% guarantee, if you are not friends, then hire a programmer and they will do everything for you for $$$$$.
In order not to be unfounded, a simple code example (shell):
^^^
Add this line of code to some file (depending on the structure of the code), then just send a POST request to the desired page and voila ..
Given that THAT dude knows what's going on in your script and given that he had access to it, then trust me, there are a lot of different options for pestering you. What is the code above, you can just leave some field without filtering and use it to get information from the database or do something else

According to the request logs, when the site is deployed and running, identify suspicious activity. Then it's a matter of technology to track the entire chain.

https://yandex.ru/promo/manul/