See: http://urlquery.net/report.php?id=1491343480561
See: https://www.virustotal.com/pl/url/c2d54d57cd1b45f9a85f91a6a174b0d7225099396ded4c61769aee18249a8d3d/analysis/1491344949/
Alerts for drive-by-downloads here: https://safeweb.norton.com/report/show?url=bennelsonpics.com
2 retirable libraries: http://retire.insecurity.today/#!/scan/69b10c358fd45cb22770fefb422bd04701685f64a0e14b97c3daf4c915446752
F-status with 5 issues: https://sritest.io/#report/6d700e1f-25c6-49ed-9ace-b15bf4270ac5
F-status and recommendations: https://observatory.mozilla.org/analyze.html?host=www.bennelsonpics.com
source code: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=www.bennelsonpics.com&ref_sel=GSP2&ua_sel=ff&fs=1

YouTube insecurity via: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.bennelsonpics.com%2Fmedia%2Fjui%2Fjs%2Fbootstrap.min.js.pagespeed.jm.7eeKttoVW_.js
What about the embed player algorithm: -www-en_US-vflgfB-i2/base.js fitting in the trend and working in node.js/base.js etc.

Google captcha code with error

line:3: ReferenceError: reference to undefined XML name ::

and just where the sri-hash issue was: -https://www.google.com/recaptcha/api.js

We find cloaking on the site

Checking for cloaking
There is a difference of 759 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot. This probably means some code is running on your site that’s trying to hide from browsers but make Google think there’s something else on the page.

See what here: http://isithacked.com/check/http%3A%2F%2Fwww.bennelsonpics.com%2Fgallery%2Fsenior-pictures-portraits

Nothing alerted here: http://killmalware.com/www.bennelsonpics.com/gallery/senior-pictures-portraits

polonus (volunteer website security analyst and website error-hunter)

You’ve got a server located in Bulgaria and another in Romania but both represent as in USA.
hxxp://zulu.zscaler.com/submission/show/f243c3c4def484786d5753233944e250-1491367939

Done.

Hi mchain,

Break that scan result url please, as it kicks up an error on mobile for zulzu.zscaler dot com redirecting.
Brave browser won’t open the link when we use Google DNS - 8.8.8.8 and 8.8.4.4 No AAA records.
With another browser I have to allow the redirection and it is OK.

See script here: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fzulu.zscaler.com%2F
See: https://www.hybrid-analysis.com/sample/4f2fbb4d5bf77845cd4ac6e5864594d60e215aa9442c5f4f30fb52bf2981574f?environmentId=100

This code will kick up an undefined varaible $ error as well and is seen as suspicious by Zulu Zscaler as well:
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.bennelsonpics.com%2Ftemplates%2Fgk_portfolio%2Fjs%2Fjquery.fitvids.js

polonus