One of my WordPress installations has recently been hacked. And when trying to resolve the problem it was very difficult to detect the hack. The hack was only active when a user came through a search engine to the site. Nothing bad happened except that the user loaded the site and was then redirected to another site (examples. cashadvancer.com, die-boersenformel.com/
If you want to check open your browser in Incognito Mode and enter your domain in Google/Bing/Yahoo/DuckDuckGo… , click on your link and see what happens.
In the loaded page was a new JS file called google.js. How creative for a file name. The file was loaded from an external server 18.104.22.168/google.js. It was difficult to debug because the script sets a cookie, so a user is only redirected the first time and then never again (until cookie is erased/expires). I search through all the files in the WordPress installation but nothing happened in the files. So I checked the DB and in some posts were the script tags, that were inserted with the post/page content into the DOM.
The Code of the google.js can be found here, if you want to investigate https://gist.github.com/littleiffel/7698307.
If you happen to have the same behavior, need some help, have more insights,… just leave a comment.