LocalRelay Issue and WordPress

We have a server where one account is using WordPress and it is constantly being exploited and used for sending spam. It is only this one account on the server which is causing problems. The WordPress installation is constantly updated including themes and plugins not in the WordPress library. It is also running WordFence and AIO WP Security & Firewall plugins. Both are heavily enabled but the spammer files are still showing up from time to time. Tracking down the exploited files used for this is never an issue and it is obvious to me there is a file these are missing in their scans which has been exploited and is the entry point but that is not my concern as this is going to happen with any account over time, especially with the heavy usage of WordPress now days. Methods are already in place to mitigate the spam sending along with CXS which picks up the majority of them. My concern is these kiddie spam files are able to send email through the server without authenticating through an email account. They come from the domain but never use a valid email address. The server environment: 2.6.32-531.29.2.lve1.3.11.1.el6.x86_64 #1 SMP Thu Dec 18 06:49:17 EST 2014 x86_64 x86_64 x86_64 GNU/Linux - CloudLinux with CageFS enabled WHM 11.50.0 (build 23) PHP compiled with RUID2 PHP 5.4.42 (cli) (built: Jul 1 2015 20:04:33) Copyright (c) 1997-2014 The PHP Group Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies with XCache v3.2.0, Copyright (c) 2005-2014, by mOo with the ionCube PHP Loader v4.7.5, Copyright (c) 2002-2014, by ionCube Ltd., and with Zend Guard Loader v3.3, Copyright (c) 1998-2013, by Zend Technologies with XCache Cacher v3.2.0, Copyright (c) 2005-2014, by mOo with Suhosin v0.9.36, Copyright (c) 2007-2014, by SektionEins GmbH WHM Tweak Settings: Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak): Off (Enabled in Configserver) Prevent "nobody" from sending mail : On Configserver Firewall settings: SMTP_BLOCK = "1" SMTP_ALLOWLOCAL = "0" SMTP_ALLOWUSER = "cpanel" SMTP_ALLOWGROUP = "mail,mailman" SMTPAUTH_RESTRICT = "1" The following has already been performed: /scripts/fixrelayd /etc/init.d/exim restart /usr/local/cpanel/bin/tailwatchd --disable=Cpanel::TailWatch::Antirelayd Exim Configuration: Query Apache server status to determine the sender of email sent from processes running as nobody: On Trust X-PHP-Script headers to determine the sender of email sent from processes running as nobody: On log_selector=+all -host_lookup_failed -lost_incoming_connection Example email from in exim_mainlog: cwd=/home/username/public_html/wp-includes/js/tinymce/skins 4 args: /usr/sbin/sendmail -t -i -fdoris_wallace@thedomain.com[/EMAIL] 2015-07-19 14:14:04 [59057] cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1ZGvuO-000FMR-1u 2015-07-19 14:14:04 [59058] 1ZGvuO-000FMY-L7 <= doris_wallace@thedomain.com[/EMAIL] U=username P=local S=1433 M8S=0 id=c3b48164e058b38dc9b273240d1783a3@thedomain.com[/EMAIL] T="You have a quick bang request" from for someuser@gmail.com[/EMAIL] My question is this, with email being able to send through the user account without authenticating with a valid email account through sendmail, what methods have you found to remedy this? Is there any way we can lock down sendmail or force it to use a valid email account without disabling it completely? Thank you for your thoughts on the matter.