Spam inc.php found in wordpress site


One of my servers is using the latest version of Wordpress and some plugins. My email suddenly started receiving hundreds of ‘Undelivered Mail Returned to Sender’ emails. After some investigation I traced this back to a few minutes before the emails began there was a file created in wp-content/plugins/php-execution-plugin/includes called inc.php which was sending the spam emails.

How do I find out how inc.php was created?

How do I prevent other simular files being created?

The from line of the email source is From: “Starbucks” the “Starbucks” portion is not a valid user on my site while the IS a vilid email address.

Is there a way to prevent email from an invalid user form being sent out?

I have done some more reading about SMTP Server Options. Would adding ‘permit_mynetworks permit_sasl_authenticated reject’ in Restrictions on sender addresses on the SMTP Server Options page stop emails being sent by an invalid user?


It’s difficult to prevent a valid user on your server from sending emails… although an invalid user somehow gained access to WordPress on your server, once they did so the system treats them as a valid user.

There’s a lot of systems on your server that expect to be able to send emails as a local user without having to authenticate with Postfix (cron, for example).

As far as how they got in – that’s difficult to say, though it may be been through a vulnerable plugin. They also could have guessed a WordPress user’s password.


Hi Eric

Please redo from beginning because this site hid an important part of the question and I did not realise until now and have added formatting.

Is it possible to stop email with an invalid user in the from part of the header being sent out.
eg From: “Starbucks”