It’s a hack, the long string of characters is base 64 encoding and it’s filtering out bots and showing an iframe to real visitors. Within the iframe from another site is some malicious javascript. Your site is infected.
It’s trying to filter out a lot of bots actually so some security crawlers might not be seeing the code. Trust me, you’ve got some cleaning up to do but first you need to secure the server/site and lock it down. Take it offline until you are sure it’s clean.
to be clear – wordpress needs to see class=”attachment-post-thumbnail wp-post-image” in your image markup if you want it to convert example.com/?attachment_id into example.com/your-real-post-title on NEW posts. If you delete it, which you may be tempted to do since it’s not a real class on most themes, you will be stuck with /?attachment_id as a permalink from your images.
Frustrating!
