we found more sites, which was hacked very fastly after LE generated.
Our clients start installation after LE was green, but in meantime (max 15 minutes after LE) robot from 185.59.221.* come and use WP installation files to prepare hack. Days after - on all domain call malware script and start DDOS to IP from France. I think that it is because crt.sh is scanned.
More likely they are directly polling the CT log servers, as the delay to detect new domains is much shorter. But yes, what you describe has been happening for a few years now. I see requests to paths like /.git/index within seconds of issuing new certificates!
Re-opening as this link is in a security newsletter that came out this week.
An easy fix for Web Hosting Providers and End Users is to password protect the directory (via htaccess or server configuration) when the domain is first created or wordpress (or another app) is installed. This would prevent attackers from accessing wordpress. The "/.well-known" directory can be made public if LetsEncrypt has not yet obtained a certificate. Once the application is locked down, the domain can be made public again.