I have a page for testing purposes its a regular form built in php, name, email, city, state and zip code are the fields that are required by the user. After submitting the form the data input will be sent via email and printed out to the user. Every field is checked for injection.
This page is inside a folder that is Restricted through .htaccess.
What happened is that someone hacked the site not the main site, but specifically this restricted folder and left an index page saying the site security is weak and easy to hack bla bla...?
My question is how could he/they get to this restricted folder? Nothing in the form could give them access so what could led to this? And one more thing I purchased the site few months ago, and I didn't publish it yet cause I didn't finish working on it yet? So I wonder how did they find it?
Could someone help me answering my questions?