He was using the accounts of the USERS of the websites, not the OWNERS. Putting in a backdoor would mean that even when the admin passwords are changed, he would still have access to the data. Also, a backdoor likely also gives a level of plausible deniability to deflect suspicion should a 'hack' ever be spotted internally - "it can't have been me. I never had access to the live server. I just gave you the code to deploy yourself".