The contract must be concluded, if without a contract, then look at the reviews, work through safe transactions, if it is freelancing. Of course, I don’t know what kind of site you have, but if a person has a lot of reviews + a high rate, it makes no sense for him to spoil his reputation.
And, in general, it’s a good idea to use some kind of version control system and not give access to production. Third-party developers make changes, upload them to the repository, your verified person looks, if everything is ok, then deploy to production.

Work under a contract.
Use a version control system.
Do not give access to production.
Use docker to quickly deploy the site on local developers' machines, or keep a separate server for development.
Rolling out the finished features to the main server is allowed only to trusted persons (and naturally not via (s)ftp or ssh).
Pay developers on time and so much that you don’t want to mess up.

Make a beta version of the site, give access to it.
And then sooo carefully check the work, incl. and online antiviruses. And only after that synchronize with the main site.
I don’t know of any other methods that are radically different from those described.

To prevent passwords from being stolen from you, it is necessary that there is no such possibility ...
1. As already mentioned above - version control (GIT, Mercurial) ... that is, the code will be visible through GIT hosting (for example, Github) completely with a history where and how it was changed, it looks something like this:
Also, this will give you the opportunity to separate work with the project from the real project on the production server - you simply won’t have access to it :) that is, the work is going on with an up-to-date copy and freelancer has code to work with.
2. As you understand, method 1 will not save you from stealing the code itself, so let's move on to this - you need to carefully look for a specialist, do not give all access to the first one that comes across ... if your programmer is busy, let him recommend or even he will advise you!
3. It is important that if you are going to work with a dynamic staff, take care of the instructions, as theft and mistakes can happen by accident.
To deal with all this, I recommend hiring a separate consultant who would sit right down to you and draw on A4 all kinds of ways to work, so as not to turn into an unapproachable maniac and at the same time fulfill all your business tasks ... security should not harm .. For 3-4 hours it will be enough to think about everything ...
Also, of course, there is a reasonable limit to everything, it may turn out that password theft may well be included in your business model in terms of costs, if you just make backups, and all sorts of GIT and complex schemes are not profitable for you ... you never know, you need to calculate. ..
Even more correct companies with a whole staff of progers have jambs, programmers have access to the combat base, it is not controlled in any way and everything is through the 5th point ... and companies feel fine ...

Do not work with freelancers.
No way to defend.

Hi,
Option 1. "Let's say when my trusted person can't help, I'll have to deal with fresh blood, so to speak." - you yourself answered your own question - you need to have one more or more verified person. That is, those you trust .
Option 2. Understand what programmers do for you, actually become one.
Any version control systems cannot protect you , they can only help you analyze the code for changes, and you need to understand this code, that is, to be a programmer again. And it doesn't matter if it's a freelancer on the other side of the world or a programmer sitting behind the wall in your office. It's all about trust.

1. Put the project in Git
2. Transfer logins and passwords to the database into a config that will not be stored in git
3. Create a dev-server with a complete copy of the site, except for the login and password to the database, and give access only to it
4. Learn how to upload new code yourself. In git, this is done with one command, super abilities are not needed for this.

git

Ask this question to someone you trust. Obviously, this is the person who designed the site. A normal person will understand and explain everything. He, too, can guess that he does not work with you forever.
If I had been asked such a question (not yet asked), I would have thought about it. There is no protection at all. Neither version control, nor archives, nor complex distribution schemes (development, testing, production server) will save you from all risks.
Of course, it all depends on what you're doing. It may so happen that a banal theft of data from one DBMS table will be enough to kill the whole thing.
There is also a difference in what task a person is needed. If you doubt a person/situation, you need to give exactly as many rights to what will allow you to complete the task. But how can you know this (about the necessary minimum of rights)?
Try to think, in order to be a little distracted, on how you protect your own PC, laptop from illegal actions. And see how protection measures change depending on the risks covered. I used to encrypt my hard drive. Just so that in case of theft, my data will not become public. There are simpler risks (for example, guessing passwords by dubious guests from a PC keyboard). And for every risk there is a response. From keys to the PC case, to more complex schemes.
Websites and Internet businesses have their own set of risks. If you think that ratings on the stock exchange or an employment contract will protect you from everything in the world, you are mistaken.

Just so you understand, I'm not a programmer.

No way, unless you yourself are an expert and cannot hire another specialist to check .
In larger projects, this is solved by separating duties and separating access (which not everyone can climb everywhere) and checking the code one after another.
In your case:
or believe. After all, most people are not crooks.
or check the received work by an independent person.
Nice option with Git and CI/CD . This requires an admin (of course, this should not be the same person as the programmer) who will set up CI / CD
AND a programmer who will work, putting the results in git, where it will be possible to easily track (by another programmer) what he did there.
And the code will go to the site automatically.
As an option - to make a site on a ready-made PaaS platform, then you can do without an admin (for example: Heroku, Google AppEngine, Openshift). The procedure for rolling the code onto the site in this case is very simple and you can even do it yourself.
In this case, all the programmer's work is in plain sight (in plain sight of the inspector's colleague as well), and it is physically difficult for him to inject malware in such a way that the colleague who verifies his work does not notice it.
If you really have something to lose and these amounts exceed the hiring of an additional person for verification, then it makes sense to bother.
If your losses are at the level of 1000 rubles a month - accept it, the check will cost more.