I checked the file system for any suspicious files, there were none. I checked the source code and templates for evidence of anything that has been added, there was nothing there. Yet all my pages were being served with the following <script> injected into them just before the closing </html> tag...
JavaScript
<script>'undefined'=== typeof _trfq || (window._trfq = []);'undefined'=== typeof _trfd && (window._trfd=[]),_trfd.push({'tccl.baseHost':'secureserver.net'}),_trfd.push({'ap':'cpsh'},{'server':'xxxxxxxx0000'}) // Monitoring performance to make your website faster. If you want to opt-out, please contact web hosting support.</script><script src='https://img1.wsimg.com/tcc/tcc_l.combined.1.0.6.min.js'></script>
Of course that comment in the script was a give away of what was going on but I didn't immediately want to believe that the website host itself would be injecting a JavaScript script into my website without my consent! Turned out that's exactly what GoDaddy was doing and they justified it as collecting metrics to improve performance.
The technology that's in use here is called Real User Metrics and GoDaddy has a page about it here - Why am I signed up for Real User Metrics?. If you happen to be a customer in US (which I am not but the website is hosted in a US data centre) then you are automatically opted into this service and all your website's pages will have this JavaScript injected into them.
The worst part of it is GoDaddy, in their help article, admits that this could slow down or break your site! So much for a tool that is designed to improve performance and reliability!
Most customers won't experience issues when opted-in to RUM, but the javascript used may cause issues including slower site performance, or a broken/inoperable website.
Luckily there is a way to turn this off - by opting out. Here's how. From the Hosting console, click on the ellipsis (...) in the top right hand corner, then click 'Help Us'.
On the dialogue box that comes up, click 'Opt Out'.
You can only opt-in or opt-out once every 24 hours - which is plenty enough to make this go away. After opting out this JavaScript disappeared from the website.
I am not against web host providers monitoring how their servers are running. Using a technology like RUM is a great way to do it, but this is meant to be a passive technology that is invisible to the end user. Injecting JavaScript into pages being served is far from passive and, at least in my eyes, is a violation of trust between the web host and the customer. I suggest you take this issue into account and make sure to read more about GoDaddy before you settle on a hosting provider.
By the way the issues I was having with the admin interface turned out to be unrelated to this but were rather a bug in Safari which is resolved by closing Safari down and opening it again, maybe more on that later though.
-i