Well, there's the obvious:

Complete site backup including a database dump.

Change all passwords:
- control panel
- shell login
- database passwords
- site passwords if any

Note that changing all database passwords will break any scripts that depend on those passwords. You'll need to update the passwords as used in mysql_connect() or whatever you're using to connect to the database.

Lock down the site before you mention anything to him.

Beyond that there are many things a malicious person could do and could have already done if he already suspects that he may want to strike back at you. How complex is this site (how many PHP files? how much user input?) You might want to go through them quickly if you have the skill and look for suspicious code that would allow someone to write files, delete files, delete or change data from the database, change the DB structure.

Do you know any PHP? Are you handy with grep?

Beyond the PHP-specific stuff:

-Change the locks on the office (even if you don't think he has a key)
-Espcially if your website is hosted at your physical location, get a good Firewall and make sure it's properly configured, has new passwords, etc.
-If your site is hosted elsewhere, inform your web host of the situation

Also consider the human factor. If your buddy has friends who will remain at the organization, let them know your expectations when the guys says, "If you just tell me the new password I can help you out."

Sorry to preach, but trying to let the guy down easy is probably one of the less expensive thing you can do here.

For what it's worth, if I thought there was reason to fire the guy I probably wouldn't use his work at all. (Particularly if there's the slightest chance that he has any inkling now that he'll be fired later.)

I know this really isn’t the same, because he wasn't a web developer... But I had to let someone go a while back. I changed passwords and locked him out before he came in that day, and until this day I am still finding sabotage on the PC he was using. He was even low enough to bring in a Compaq CD-ROM and switch it out with the DVD ROM in the Macintosh at his desk. He obviously didn’t know that all Apple software is on DVD. That’s beside the point. You need to know what he had access to, and filter through it all with a fine-toothed comb, get rid of anything that is disposable, or that you think you could easily re-create. And catalog everything ... Also look for Wi-Fi Access points. I found 2.

-- Zak

Wow, sorry to get back so late with you guys. Everything seems to be working fine. It was just a concern and I wanted to be ready for it. Better be ready than sorry later. I rarely post here but all the guys have been just fantastic here. Thanks for everything.