[Jon]

The admin email addresses are particularly concerning as that means he can request admin password and login to your admin at any time, and may also be receiving email notifications etc. I would start by adding .htpasswd protection on the admin directories (if already present make sure login/pass is updated) and then go from there.