If you type in a browser a page that does not exist you should get a 404 error page but on this client site it is going to a password protected page that does not exist.
The site has been hacked in the past, is this a backdoor that the hacker has created?
normal page = http://www.rawappetite.com/services/
Page that should not exist = http://www.rawappetite.com/services/intensive-mentoring (this behaviour happens when you type in anything for example http://www.rawappetite.com/strangepage
Sitemap = http://www.rawappetite.com/sitemap.xml
How do i hunt down where this behaviour is coded in?
Update: 404.php was full of hacker code still!!
Check your 404.php template.
By the way I've emailed you the fix for that blockquote p tag bug
<blockquote>404.php was full of hacker code still!!</blockquote>
Then yes thats a backdoor hacker has created.. erase the code and copy twenty twentytwelve 404 page code there.
Or if you have a backup copy of your site theme, then overwrite it with that backup file.
Steve Watson comments:
Spot on! :)