WordPress is the world's most popular content management system, but not so much with the UK government. The country's Office for Budget Responsibility (OBR) has blamed an inadvertent budget disclosure last week on misconfiguration of its WordPress website.
The snafu, first reported by Reuters, roiled UK markets, elicited scathing political criticism, and prompted the fiscal watchdog to apologize. The OBR promised a swift investigation, helmed by OBR's Oversight Board members Baroness Sarah Hogg and Dame Susan Rice.
That report [PDF], prepared in consultation with Ciaran Martin, professor at Oxford University and former CEO of the National Cyber Security Centre, arrived on Monday.
It observes, "Technical commentary has, for many years, noted that WordPress can be onerous to configure and that mistakes are easily made in so doing."
The premature exposure of the OBR's November 2025 Economic and Fiscal Outlook (EFO) followed from a misunderstanding of a WordPress plugin called Download Monitor and a failure to configure the server to block direct access to download directories.
The errors allowed non-government personnel – including, perhaps, journalists – to view the EFO prior to publication.
Whoever gained access to the information was looking for it – predictable resource identifiers represent a longstanding security vulnerability. At 05:16 GMT on November 26 – six minutes after OBR's web host emailed OBR staff to confirm a server modification in anticipation of high traffic – the first request for the URL containing the budget information showed up in server logs.
"Between this time and 11:30, a total of 44 unsuccessful requests to this URL were made from seven unique IP addresses," the report says.
The requested file, however, wasn't present until uploaded by a third-party web developer between 11:30 and 11:35, at which point the URL was first successfully accessed.
The IP address that initially accessed the unpublished file had already made 32 prior unsuccessful requests for the page that morning, according to the report. After it was live, between 11:35 and 12:07, 43 requests for the URL were received from 32 different IP addresses. After that, the PDF file was removed, but it had already been indexed by the Internet Archive.
When British finance minister Rachel Reeves began her speech at 12:34, per the report's timeline, she acknowledged the early release of the OBR EFO.
The OBR report attributes the stumble to "two mutually contributory configuration errors" related to the creation of draft webpages that follow known naming conventions.
First, OBR used a plugin called Download Monitor that created a webpage with a clear URL that linked to the live data but bypassed the need for authentication.
"The creation of a URL in the clear is a feature of the plug-in which requires specific mitigation if it is not to lead to the document unintentionally being visible before publication," the report explains. "This was obviously not understood within the OBR's online publishing function so the Download Monitor plug-in should not have been used in this way without that understanding."
In addition, the website server lacked the server-level configuration that could have prevented the budget from being accessed early.
"If configured properly, this will block access to the clear URL and return a 'forbidden' message," the report explains. "This is the second contributory configuration error – the server was not configured in this way so there was nothing to stop access to the clear URL bypassing protections against pre-publication access."
The OBR staff typically maintain the WordPress website, hosted by WP Engine. But generally, three days per year – for the publication of the biannual EFOs and the summer Fiscal Risks and Sustainability report – the extra workload means an external web developer gets brought in.
WP Engine, which hosts the site, did not immediately respond to a request for comment.
Tom Rankin, a UK-based WordPress content creator and marketer, told The Register in an email that while he couldn't speculate on where the blame should be put, WP Engine hosts enterprise clients and is considered reputable.
"I'd be surprised if their server infrastructure would enable access to a file without someone knowing about it," he said. "WP Engine is reputable and secure hosting, as millions of customers can confirm."
A worst-case scenario, he said, "is a team member with administrator access not as savvy with the intricacies of WordPress' user roles and file permissions, secure file uploading strategies, and Download Monitor's deeper-level functionality adding the report to a site and sharing the URL to those who need it (such as superiors)."
"I wouldn't be surprised to see this sort of slip to be the cause of a leak, and I'd chalk that up to simple user error that has had a dramatic impact in this case," he added. "A retraining opportunity rather than retributive punishment."
The report also says there's some evidence a similar thing happened with the last EFO report, published in March.
Normally, the OBR budget details would be published at the conclusion of a speech by Reeves, Chancellor of the Exchequer.
But in March, according to the report, "the logs show that one IP address successfully accessed the document at 12:38, five minutes after Reeves had started speaking and nearly half an hour before publication. It is not known what, if any, action was taken as a result of this access and there is no evidence at this stage of any nefarious activity arising from it."
The report states that, while it isn't yet known where this IP address originated, "there are some indications the IP address may be linked to accounts within UK government and/or other public authorities within the UK."
Cautioning that no conclusions should be drawn based on this preliminary information, the report recommends a more detailed forensic digital audit of recent EFO publications dating back to last year, and a revisitation of the 2013 decision that gave the OBR an exemption to run its own publication site outside of the gov.uk domain. ®
Source: The register