I have seen attacks where directly visiting the site doesn't show anything out of the ordinary, but visits coming from Google (referer) show different content. Have also seen ones where only User-Agent: Googlebot would see the modified version of the site.
(I doubt that is the case in OP's situation, but I have seen both of those methods of "hiding" multiple times now)
Yes, this is how most Wordpress malware works - they inject/publish ad or keyword spam content on the site if the user agent is googlebot. Regular users don't get the ads. It's partially why most people never realise their site has been hacked.
(I doubt that is the case in OP's situation, but I have seen both of those methods of "hiding" multiple times now)