Researching email spam on a website.

Headers of spam message show username of website user @ website server name.

Messages being sent to mail.ru, typical.

Check of visitor logs show majority of requests are wordpress attacks. ouch.
Top 4 countries visiting. Considering this is a local Australian business, this is a red flag.
United States us 24,119 24,192 5.33 MB
Brazil br 16,235 16,235 1.88 MB
Russian Federation ru 3,665 3,685 12.19 MB
Romania ro 2,979 2,979 336.15 KB

WordPress content directory shows:
wp-content/uploads/

header.php
8.23 KB
Jun 4, 2018, 4:11 PM
application/x-httpd-php
0644
login.php
2.25 KB
Jun 4, 2018, 4:11 PM
application/x-httpd-php
0644
newsleter.php
9.28 KB
Jun 4, 2018, 4:11 PM
application/x-httpd-php
0644
wp-layouts.php
32.37 KB
Jun 4, 2018, 4:11 PM
application/x-httpd-php
0644
wp-nav-menus.php

PHP files should never be in the uploads dir. And viewing them shows they are hacked.

Weird set of files in the wp-admin folder:
bara.php
356 bytes
Yesterday, 6:45 PM
application/x-httpd-php
0644
barley.php
388 bytes
Jun 6, 2018, 4:35 AM
application/x-httpd-php
0644
baronets.php
388 bytes
Yesterday, 8:08 PM
application/x-httpd-php
0644
bawl.php
388 bytes
Yesterday, 6:13 PM
application/x-httpd-php
0644
beerier.php
388 bytes
Jun 5, 2018, 9:57 PM
application/x-httpd-php
0644
bejewelling.php
388 bytes
Yesterday, 8:49 PM
application/x-httpd-php
0644
bestiality.php
388 bytes
Yesterday, 6:37 PM
application/x-httpd-php
0644
Betty.php
356 bytes
Jun 5, 2018, 10:00 PM
application/x-httpd-php
0644
Blake.php
388 bytes
Yesterday, 6:33 PM
application/x-httpd-php
0644
blurb.php
388 bytes
Jun 6, 2018, 9:32 PM
application/x-httpd-php
0644
Brad.php

public_html folder has:
wp.php with below contents: