UK gov blames budget leak on misconfigured WordPress plugin, server
(2025/12/01)
- Reference: 1764624612
- News link: https://www.theregister.co.uk/2025/12/01/uk_budget_leak_blamed_on/
- Source link:
WordPress is the world's most popular content management system, but not so much with the UK government. The country's Office for Budget Responsibility (OBR) has blamed an inadvertent budget disclosure last week on misconfiguration of its WordPress website.
The snafu, first reported by Reuters, [1]roiled UK markets , elicited scathing political criticism, and prompted the fiscal watchdog to apologize. The OBR promised a swift investigation, helmed by OBR's Oversight Board members Baroness Sarah Hogg and Dame Susan Rice.
That [2]report [PDF], prepared in consultation with Ciaran Martin, professor at Oxford University and former CEO of the National Cyber Security Centre, arrived on Monday.
[3]
It observes, "Technical commentary has, for many years, noted that WordPress can be onerous to configure and that mistakes are easily made in so doing."
[4]
[5]
The premature exposure of the OBR's November 2025 Economic and Fiscal Outlook (EFO) followed from a misunderstanding of a WordPress plugin called [6]Download Monitor and a failure to configure the server to block direct access to download directories.
The errors allowed non-government personnel – including, perhaps, journalists – to view the EFO prior to publication.
[7]
Whoever gained access to the information was looking for it – predictable resource identifiers represent a longstanding security vulnerability. At 05:16 GMT on November 26 – six minutes after OBR's web host emailed OBR staff to confirm a server modification in anticipation of high traffic – the first request for the URL containing the budget information showed up in server logs.
"Between this time and 11:30, a total of 44 unsuccessful requests to this URL were made from seven unique IP addresses," the report says.
The requested file, however, wasn't present until uploaded by a third-party web developer between 11:30 and 11:35, at which point the URL was first successfully accessed.
[8]
The IP address that initially accessed the unpublished file had already made 32 prior unsuccessful requests for the page that morning, according to the report. After it was live, between 11:35 and 12:07, 43 requests for the URL were received from 32 different IP addresses. After that, the PDF file was removed, but it had already been indexed by the Internet Archive.
When British finance minister Rachel Reeves began her speech at 12:34, per the report's timeline, she acknowledged the early release of the OBR EFO.
The OBR report attributes the stumble to "two mutually contributory configuration errors" related to the creation of draft webpages that follow known naming conventions.
[9]Automattic accuses rival WordPress outfit WP Engine of 'false advertising, and deceptive business practices'
[10]After 30 years PHP still evolving: Team adds pipe operator, considers generics
[11]PHP 8.5 lays down long-awaited pipe operator, adds new URI tools
[12]Laravel inventor tells devs to quit writing 'cathedrals of complexity'
First, OBR used a plugin called [13]Download Monitor that created a webpage with a clear URL that linked to the live data but bypassed the need for authentication.
"The creation of a URL in the clear is a feature of the plug-in which requires specific mitigation if it is not to lead to the document unintentionally being visible before publication," the report explains. "This was obviously not understood within the OBR's online publishing function so the Download Monitor plug-in should not have been used in this way without that understanding."
In addition, the website server lacked the server-level configuration that could have prevented the budget from being accessed early.
"If configured properly, this will block access to the clear URL and return a 'forbidden' message," the report explains. "This is the second contributory configuration error – the server was not configured in this way so there was nothing to stop access to the clear URL bypassing protections against pre-publication access."
The OBR staff typically maintain the WordPress website, hosted by WP Engine. But generally, three days per year – for the publication of the biannual EFOs and the summer Fiscal Risks and Sustainability report – the extra workload means an external web developer gets brought in.
WP Engine, which hosts the site, did not immediately respond to a request for comment.
Tom Rankin, a UK-based WordPress content creator and marketer, told The Register in an email that while he couldn't speculate on where the blame should be put, WP Engine hosts enterprise clients and is considered reputable.
"I'd be surprised if their server infrastructure would enable access to a file without someone knowing about it," he said. "WP Engine is reputable and secure hosting, as millions of customers can confirm."
A worst-case scenario, he said, "is a team member with administrator access not as savvy with the intricacies of WordPress' user roles and file permissions, secure file uploading strategies, and Download Monitor's deeper-level functionality adding the report to a site and sharing the URL to those who need it (such as superiors)."
"I wouldn't be surprised to see this sort of slip to be the cause of a leak, and I'd chalk that up to simple user error that has had a dramatic impact in this case," he added. "A retraining opportunity rather than retributive punishment."
The report also says there's some evidence a similar thing happened with the last EFO report, published in March.
Normally, the OBR budget details would be published at the conclusion of a speech by Reeves, Chancellor of the Exchequer.
But in March, according to the report, "the logs show that one IP address successfully accessed the document at 12:38, five minutes after Reeves had started speaking and nearly half an hour before publication. It is not known what, if any, action was taken as a result of this access and there is no evidence at this stage of any nefarious activity arising from it."
The report states that, while it isn't yet known where this IP address originated, "there are some indications the IP address may be linked to accounts within UK government and/or other public authorities within the UK."
Cautioning that no conclusions should be drawn based on this preliminary information, the report recommends a more detailed forensic digital audit of recent EFO publications dating back to last year, and a revisitation of the 2013 decision that gave the OBR an exemption to run its own publication site outside of the gov.uk domain. ®
Get our [14]Tech Resources
[1] https://www.reuters.com/world/uk/uks-obr-publishes-economic-outlook-ahead-reeves-budget-speech-2025-11-26/
[2] https://obr.uk/docs/dlm_uploads/01122025-Investigation-into-November-2025-EFO-publication-error.pdf
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aS4eB9cqRvlRw8PBHa9UDQAAAA4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aS4eB9cqRvlRw8PBHa9UDQAAAA4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aS4eB9cqRvlRw8PBHa9UDQAAAA4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://github.com/WPChill/download-monitor
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aS4eB9cqRvlRw8PBHa9UDQAAAA4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aS4eB9cqRvlRw8PBHa9UDQAAAA4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/10/27/automattic_wp_engine_counterclaim/
[10] https://www.theregister.com/2025/08/08/after_30_years_php_still/
[11] https://www.theregister.com/2025/11/20/php_85_lays_pipe_operator/
[12] https://www.theregister.com/2025/09/01/laravel_inventor_clever_devs/
[13] https://github.com/WPChill/download-monitor
[14] https://whitepapers.theregister.com/
The snafu, first reported by Reuters, [1]roiled UK markets , elicited scathing political criticism, and prompted the fiscal watchdog to apologize. The OBR promised a swift investigation, helmed by OBR's Oversight Board members Baroness Sarah Hogg and Dame Susan Rice.
That [2]report [PDF], prepared in consultation with Ciaran Martin, professor at Oxford University and former CEO of the National Cyber Security Centre, arrived on Monday.
[3]
It observes, "Technical commentary has, for many years, noted that WordPress can be onerous to configure and that mistakes are easily made in so doing."
[4]
[5]
The premature exposure of the OBR's November 2025 Economic and Fiscal Outlook (EFO) followed from a misunderstanding of a WordPress plugin called [6]Download Monitor and a failure to configure the server to block direct access to download directories.
The errors allowed non-government personnel – including, perhaps, journalists – to view the EFO prior to publication.
[7]
Whoever gained access to the information was looking for it – predictable resource identifiers represent a longstanding security vulnerability. At 05:16 GMT on November 26 – six minutes after OBR's web host emailed OBR staff to confirm a server modification in anticipation of high traffic – the first request for the URL containing the budget information showed up in server logs.
"Between this time and 11:30, a total of 44 unsuccessful requests to this URL were made from seven unique IP addresses," the report says.
The requested file, however, wasn't present until uploaded by a third-party web developer between 11:30 and 11:35, at which point the URL was first successfully accessed.
[8]
The IP address that initially accessed the unpublished file had already made 32 prior unsuccessful requests for the page that morning, according to the report. After it was live, between 11:35 and 12:07, 43 requests for the URL were received from 32 different IP addresses. After that, the PDF file was removed, but it had already been indexed by the Internet Archive.
When British finance minister Rachel Reeves began her speech at 12:34, per the report's timeline, she acknowledged the early release of the OBR EFO.
The OBR report attributes the stumble to "two mutually contributory configuration errors" related to the creation of draft webpages that follow known naming conventions.
[9]Automattic accuses rival WordPress outfit WP Engine of 'false advertising, and deceptive business practices'
[10]After 30 years PHP still evolving: Team adds pipe operator, considers generics
[11]PHP 8.5 lays down long-awaited pipe operator, adds new URI tools
[12]Laravel inventor tells devs to quit writing 'cathedrals of complexity'
First, OBR used a plugin called [13]Download Monitor that created a webpage with a clear URL that linked to the live data but bypassed the need for authentication.
"The creation of a URL in the clear is a feature of the plug-in which requires specific mitigation if it is not to lead to the document unintentionally being visible before publication," the report explains. "This was obviously not understood within the OBR's online publishing function so the Download Monitor plug-in should not have been used in this way without that understanding."
In addition, the website server lacked the server-level configuration that could have prevented the budget from being accessed early.
"If configured properly, this will block access to the clear URL and return a 'forbidden' message," the report explains. "This is the second contributory configuration error – the server was not configured in this way so there was nothing to stop access to the clear URL bypassing protections against pre-publication access."
The OBR staff typically maintain the WordPress website, hosted by WP Engine. But generally, three days per year – for the publication of the biannual EFOs and the summer Fiscal Risks and Sustainability report – the extra workload means an external web developer gets brought in.
WP Engine, which hosts the site, did not immediately respond to a request for comment.
Tom Rankin, a UK-based WordPress content creator and marketer, told The Register in an email that while he couldn't speculate on where the blame should be put, WP Engine hosts enterprise clients and is considered reputable.
"I'd be surprised if their server infrastructure would enable access to a file without someone knowing about it," he said. "WP Engine is reputable and secure hosting, as millions of customers can confirm."
A worst-case scenario, he said, "is a team member with administrator access not as savvy with the intricacies of WordPress' user roles and file permissions, secure file uploading strategies, and Download Monitor's deeper-level functionality adding the report to a site and sharing the URL to those who need it (such as superiors)."
"I wouldn't be surprised to see this sort of slip to be the cause of a leak, and I'd chalk that up to simple user error that has had a dramatic impact in this case," he added. "A retraining opportunity rather than retributive punishment."
The report also says there's some evidence a similar thing happened with the last EFO report, published in March.
Normally, the OBR budget details would be published at the conclusion of a speech by Reeves, Chancellor of the Exchequer.
But in March, according to the report, "the logs show that one IP address successfully accessed the document at 12:38, five minutes after Reeves had started speaking and nearly half an hour before publication. It is not known what, if any, action was taken as a result of this access and there is no evidence at this stage of any nefarious activity arising from it."
The report states that, while it isn't yet known where this IP address originated, "there are some indications the IP address may be linked to accounts within UK government and/or other public authorities within the UK."
Cautioning that no conclusions should be drawn based on this preliminary information, the report recommends a more detailed forensic digital audit of recent EFO publications dating back to last year, and a revisitation of the 2013 decision that gave the OBR an exemption to run its own publication site outside of the gov.uk domain. ®
Get our [14]Tech Resources
[1] https://www.reuters.com/world/uk/uks-obr-publishes-economic-outlook-ahead-reeves-budget-speech-2025-11-26/
[2] https://obr.uk/docs/dlm_uploads/01122025-Investigation-into-November-2025-EFO-publication-error.pdf
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aS4eB9cqRvlRw8PBHa9UDQAAAA4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aS4eB9cqRvlRw8PBHa9UDQAAAA4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aS4eB9cqRvlRw8PBHa9UDQAAAA4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://github.com/WPChill/download-monitor
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aS4eB9cqRvlRw8PBHa9UDQAAAA4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_onprem/publicsector&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aS4eB9cqRvlRw8PBHa9UDQAAAA4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[9] https://www.theregister.com/2025/10/27/automattic_wp_engine_counterclaim/
[10] https://www.theregister.com/2025/08/08/after_30_years_php_still/
[11] https://www.theregister.com/2025/11/20/php_85_lays_pipe_operator/
[12] https://www.theregister.com/2025/09/01/laravel_inventor_clever_devs/
[13] https://github.com/WPChill/download-monitor
[14] https://whitepapers.theregister.com/
Lon24
Whenever I have to upload an embargoed page I just do an .htaccess Redirect to a 404 or 'coming soon' page. Then unmodify ie insert # at the appointed time. Pretty simple with Apache.
Oh, and test I really can't see my own page.
perhaps not practical for everyone
Nate Amsden
I opened a new WordPress site to the world a week ago, https://cultofthe.cloud/ "Revealing the staggering level of (often times wilful) ignorance regarding hyperscale public cloud IaaS adoption". Been pimping the site on LinkedIn since.
But the main point is my site is pretty simple just 12 pages and some images. I thought about security being a bit paranoid, trying to limit plugins to bare minimum.
I decided to put a whitelist of urls in my apache config so if you're not coming from a specific internal IP space you can only access a short list of urls(any attempts to get other urls are redirected to an error page using rewrite rules), and can only submit GET requests on most of them. At first I was only interested in locking down the admin interface then realized I could probably lock it down entirely. Works pretty well.
Add to that I did decide to use a cache accelerator plugin(forgot the name) basically caches the content in static HTML files to serve up instead of dynamically generated stuff.
Really?
IGotOut
"for many years, noted that WordPress can be onerous to configure"
No it's not.
It's pretty fucking simple. The issue is adding 500 plugins you probably don't need, with half of them not seen a update in 3 years and then not bothering to check what they actually do.
Anonymous Coward
"The more they overthink the plumbing, the easier it is to stop up the drain."
Whatever the misconfiguration there's a simple, catch-all remedy. Don't upload it until it's due for publication. However predictable the URL, if it isn't there it can't be found.