To start, remove vsFTP ASAP. Throwing source code and passwords over the internet in plain text is an extremely bad idea. FTP should ONLY be used for anonymous file transfer, sftp or ftp+ssl should be used and remove redundancy. Having 2 daemons makes you twice as vulnerable to exploitation, think about reducing attack surface as much as possible.
A traditional Chroot jail is probably overkill although it could get the job done. There are 2 threats you have to worry about. The first is that a user can download/modify code using ssh. This can be defended against by using the ChrootDirectory configuration in your sshd config file:
ChrootDirectory
Specifies a path to chroot(2) to after authentication.
This
path, and all its components, must be root-owned
directories that
are not writable by any other user or group. After the
chroot,
sshd(8) changes the working directory to the user's home
directory.
The next threat is that the programmer could upload malicious code, such as a PHP backdoor to gain access to your system. This is far more insidious because a backdoor could be as simple as adding 2 characters or removing 2 characters.
The most secure approach to the threat of a malicious insider is to use svn+ssh, force each programmer to do development on their local system and then review all code that is submitted. SVN will keep track of who has added what code to your system. After you have tested the code for vulnerabilities, ether intentional or accidental then you deploy a "release" build on your live server. Doing development on a live server is a bad idea as it leads to accidental down time during development.
