It appears that my WordPress site did have some malware embedded in it. Thanks to my friends who alerted me as it didn’t appear to fire off every time; extra eyeballs make these problems easier to spot.
I’ve solved it by re-uploading the files from my computer to my webserver, which seems to have dealt with the problem. Now I need to do a little more tidying up; there are one or two plugins I might disable (in case they were the infection vector), I need to update the passwords and security codes I use on the site (in case they have been stored anywhere) and I need to scan other pages on the same server.
If you have had any odd pages popping up on visiting my website recently (or, indeed, unexpected finds from other sites) it is definitely worth running a scan on your own machine. Malwarebytes seems a popular choice with a decent free version among some of the IT colleagues I have talked to recently.