It appears that my WordPress site did have some malware embedded in it. Thanks to my friends who alerted me as it didn’t appear to fire off every time; extra eyeballs make these problems easier to spot.
Mind you, even when it activated and my antivirus software did pick something up, it was tricky to hunt down. It turned out to be a piece of obfuscated javascript embedded at the end of the HTML header. I found it by looking through the code but an easier approach is probably the free malware scanner from Sucuri, which I used to confirm the problem.
I’ve solved it by re-uploading the files from my computer to my webserver, which seems to have dealt with the problem. Now I need to do a little more tidying up; there are one or two plugins I might disable (in case they were the infection vector), I need to update the passwords and security codes I use on the site (in case they have been stored anywhere) and I need to scan other pages on the same server.
If you have had any odd pages popping up on visiting my website recently (or, indeed, unexpected finds from other sites) it is definitely worth running a scan on your own machine. Malwarebytes seems a popular choice with a decent free version among some of the IT colleagues I have talked to recently.