Yes, it is very possible for an attacker to install something on the server. If they have the ability to upload, and execute arbitrary PHP code, then they can install anything that they want.
The only way to safely deal with this is to rebuild the server from scratch, and ensure that you use a known clean version of your website. You should then ensure that the only way to log into the server is a secure SSH connection with a private/public key and no passwords. Also, setup something like fail2ban to ensure that brute force attacks are not viable.