Issue is Piwik server is a seperate server instance nothing on the server but Piwik - it monitors over 12 sites - but just the config of one was changed.
I am wondering if the domain expired and inherited an access domain which Godaddy owns and somehow that config was used.
The WordPress site in question on another server has no malware hits via Wordfence, maldet or sucurri scans.