Oh but it can.
Firstly, contrary to popular belief, most business fraud involves a trusted insider, who may not otherwise have access to your code.
Secondly, if somebody wants to trash your site, sure, access to the admin would allow them to pretty much do that. But for what benefit? You'd simply restore it from your backup, and move on. A bit painful, yes - but what's the hacker got out of it? After all you're not storing credit card details or anything that could give them a financial benefit on your site. On the other had, if they can access the code base, even if only indirectly through the admin, that could be used to quietly divert payments, something which you may not notice for a while, or at all until you start to get complaints about unfulfilled orders some time later - an more lucrative form of attack that has been reported in the past in this forum.
Bookmarks