The downside, first reported by Reuters, roiled the British marketsprovoked scathing political criticism and prompted the budget watchdog to apologize. The OBR promised a speedy investigation, aided by OBR’s Oversight Board members Baroness Sarah Hogg and Dame Susan Rice.
That report [PDF]prepared in consultation with Ciaran Martin, professor at the University of Oxford and former CEO of the National Cyber Security Centre, arrived on Monday.
It notes: “Technical commentary has pointed out for many years that WordPress can be difficult to configure and prone to errors.”
The premature release of the OBR’s November 2025 Economic and Fiscal Outlook (EFO) followed a misunderstanding over a WordPress plugin called Download monitor and an error configuring the server to block direct access to download folders.
The errors allowed non-government personnel – including perhaps journalists – to view the EFO before publication.
Everyone who got access to the information was looking for it. Predictable source identifiers represent a long-standing security problem. On November 26 at 05:16 GMT – six minutes after OBR’s web host emailed OBR staff to confirm a server adjustment in anticipation of heavy traffic – the first request for the URL containing the budget information appeared in server logs.
“Between this time and 11:30 a.m., a total of 44 failed requests were made to this URL from seven unique IP addresses,” the report said.
However, the requested file was not present until it was uploaded by a third-party web developer between 11:30 AM and 11:35 AM, at which point the URL was successfully opened for the first time.
The IP address that initially accessed the unpublished file had already made 32 previous failed requests for the page that morning, the report said. After it went live, between 11:35 AM and 12:07 PM, 43 requests for the URL were received from 32 different IP addresses. Afterwards, the PDF file was deleted, but it had already been indexed by the Internet Archive.
As British Chancellor of the Exchequer Rachel Reeves began her speech at 12:34 p.m., according to the report’s timeline, she acknowledged the early release of the OBR EFO.
The OBR report attributes the stumble to “two mutually contributing configuration errors” related to creating draft web pages that follow known naming conventions.
First OBR used a plugin called Download monitor which created a web page with a clear URL that linked to the live data but bypassed the need for authentication.
“Creating a clear URL is a feature of the plugin that requires specific measures if it does not result in the document inadvertently becoming visible before publication,” the report explains. “This was clearly not understood within OBR’s online publishing function, so the Download Monitor plugin should not have been used in this way without that understanding.”
Additionally, the website server lacked the server-level configuration that could have prevented early budget access.
“If configured properly, this will block access to the clear URL and return a ‘forbidden’ message,” the report explains. “This is the second contributing configuration error: the server was not configured this way, so there was nothing to prevent access to the clear URL and bypass pre-publish access protections.”
The OBR staff typically maintains the WordPress website, hosted by WP Engine. But in general, the extra workload means that an external web developer is called in for three days a year – before the publication of the biennial EFOs and the summer report on Fiscal Risks and Sustainability.
WP Engine, which hosts the site, did not immediately respond to a request for comment.
Tom Rankin, a UK-based WordPress content creator and marketer, shared The Register in an email that while he couldn’t speculate on where the blame should be placed, WP Engine hosts enterprise clients and is considered reputable.
“I would be surprised if their server infrastructure allowed access to a file without anyone knowing about it,” he said. “WP Engine is a reputable and secure hosting, as millions of customers can attest.”
In the worst case scenario, he said, “a team member with administrative access isn’t as savvy with the intricacies of WordPress’s user roles and file permissions, secure file upload strategies, and Download Monitor’s deeper functionality, which involves adding the report to a site and sharing the URL with those who need it (like superiors).”
“I wouldn’t be surprised if this type of slip was the cause of a leak, and I would attribute that to simple user error that had a dramatic impact in this case,” he added. “A retraining opportunity instead of a retributive punishment.”
The report also says there are indications that something similar happened with the last EFO report, which was published in March.
Normally the OBR budget details would be published at the end of a speech by Reeves, Chancellor of the Exchequer.
But in March, the report found, “the logs show that one IP address successfully accessed the document at 12:38 p.m., five minutes after Reeves began speaking and almost half an hour before publication. It is unknown what action, if any, was taken as a result of this access and there is no evidence at this stage of any nefarious activity resulting from it.”
The report states that while it is not yet known where this IP address originated, “there are some indications that the IP address may be linked to accounts within the UK government and/or other public authorities in the UK.”
Cautioning that no conclusions should be drawn from this preliminary information, the report recommends a more detailed forensic digital audit of recent EFO publications dating back to last year, and a review of the 2013 decision that gave the OBR an exemption to run its own publication site outside the gov.uk domain. ®
#budget #leak #attributed #misconfigured #WordPress #plugin