Assuming you have admin access, the first thing to do is to downgrade his admin user to ‘contributor’ (lowest level). If you have been sharing the admin access, create a new admin account just for you, then log in as that account, and then downgrade that admin account. And don’t create an account called ‘admin’ – it’s a account that hackers like to attack.
Second, change the password for your hosting account. And then change the password for any FTP accounts. That should prevent the developer from making changes to the database – or destroying files.
Third, change the password on your WP database. This will require changing the password in the wp-config.php file, so change that to the new password after changing the database password.
Fourth, get a complete backup of your site (database and files). Your hosting account probably has a backup process you can use, or you can add a backup plugin to the site.
Fifth, if you think the developer had access to your domain registration account, change the password there aslo.
All of these items are a bit technical, but there are many googles/bings/ducks where you can get help. You can also get help from your hosting place through their support. Doing the above will secure your site from damage by the web guy.