Well, if that's too much, would it be adequate to set up an FTP account for the developer, copy your files into it, have him develop and test as best he can on another system, upload the changed files to the FTP account, and you copy them back to their final place for your testing? It would be a shame to put up with a problematic site just because you feel you can't trust the developer. If you can't get references for them, it's understandable that you'd be wary, but a signed contract spelling out that they are not to go into any other part of the site would go a long way in court (you would grant them full FTP/cpanel access, but not account access). And after they finish, change all passwords before making the final payment. Know what files are there before the developer starts, so you can check for backdoors and trojans and any unauthorized modifications.
I'll move this over to the LPCP board, in case anyone watching there has another solution.