Our volunteer techy help and site admin had a fairly major disagreement about 4 months ago - one of them hacked the site and basically totally buggered it up - we had it rebuilt and it is on a new server. Today one of the old techy people sent me an email telling me he still has an old backup (about 4 months old) and intends to use the "passwords and scripts" in it to destroy the site. We are a not for profit organisation supporting people who are suicidal and have mental health problems - I have 30k members that come to the site for support and, well, in a lot of cases to keep themselves alive.
We have changed all the server passwords, cpanel, root, ftp and the works. All the admin passwords for xenforo have been changed too. I believe that the passwords in the database are (or should be) all encrypted. I have no idea what he means when he refers to "using the scripts".
Any ideas on precautions I can take besides what I have mentioned to protect the site for our members? And what kind of risk I am looking at (we have a full current backup - it is taken daily server side)