"Do I make more sense now? "
Yes, running a cron job on another site makes sense. As I mentioned, we now have a tool monitoring all of our servers in-house, and it's a fairly simple matter for it to also monitor the status of several files on our website, by SSHing over and checking the files on a regular basis. It's not an ACTUAL FIM, but without a DH-based FIM, it's pretty decent.
One of my operating parameters was that the attacker has completely compromised the website and is probably bragging about it -- not a subtle attack at all. This would be particularly awkward for us, reputation-wise -- we could lose customers pretty much instantly if that happened. Were I to be told about this, I would be expected to wipe and restore the site in minutes, if possible.
However, it is now my understanding that a login to the Control Panel from any IP other than the usual one (even with the proper credentials) does not allow access to the Control Panel until the registered email address has confirmed back that this IP access is okay.
So, that helps a great deal (and makes good sense anyway).
In order for someone to compromise our website through a credentialed attack, they would need not only our credentials, but to be able to spoof our IP.
As far as what DH considers authentication, using the Web Panel is probably good enough, considering the above information.