No, you can not add Site Bandit to a site after the passwords have been changed and your locked out. We must stress Site Bandit is not a hacking tool. It is simply a small module you install at the beginning of a project when you have full FTP access and everything is good with the client. Hopefully you will not need to use it...but it's your safety net if things go bad with the client.

Absolutely. If the work you did was all done in the database and not in the file structure you can select "Database only" when your "undoing" your work.

Two things are important here:
1: Your client or his "new" web guys have no idea what to look for as:
a. You can custom name the Site Bandit folder
b. You can hide it deep inside other folders when you install it.
2. If you inform the client at the beginning that you have installed the Site Bandit tool as a safety measure and he either asks you to remove it or tries to remove it himself...that is a huge red flag and you may want to drop the client as he is obviously looking to steal your work anyway. Either way Site Bandit has saved you from a bad client.

Agreed that is always the safest way to work with clients. In fact that's how we at IMC Media Group work. But we have had issues in the past with checks that bounced after sites / code was released, and the most common one...the infamous credit card dispute...and you know the credit card companies always the take customer side, leaving your with no recourse...Well now you can get your work back and if client doesn't cancel the credit card dispute...they don't get it back.