What I saw there in the page source code? → https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=www.deconstructingsundance.com%2Fmits%2F&ref_sel=GSP2&ua_sel=ff&fs=1
See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.deconstructingsundance.com%2Fmits%2F
Scanning -http://www.deconstructingsundance.com …
Script loaded: -http://ajax.cloudflare.com/cdn-cgi/nexp/dok3v=f2befc48d1/cloudflare.min.js
Script loaded: -http://www.deconstructingsundance.com/cdn-cgi/nexp/dok3v=1613a3a185/cloudflare/rocket.js *
Status: success → http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.deconstructingsundance.com%2Fcdn-cgi%2Fnexp%2Fdok3v%3D1613a3a185%2Fcloudflare%2Frocket.js
Number of sources found: 15
Number of sinks found: 17 (link to reklamobilna dot com etc.) Pop-up adware?
Load time: 2200ms GoDaddy / CloudFlare abuse? Reporting sources: quttera.com, openphish.com, google safebrowsing, phishtank, cleanmx-phishing, see: https://cymon.io/104.28.24.97
Re: https://otx.alienvault.com/indicator/ip/104.28.24.97/
Is this Adware Generic detected by Avast in PUP-mode? Detections:
http://www.herdprotect.com/ip-address-104.28.24.97.aspx
polonus (volunteer website security analyst and website error-hunter)