Yesterday, a minor political scandal erupted in the UK when the Office for Budget Responsibility (OBR) accidentally leaked the government budget two hours early. In the past, ministers have resigned for merely answering a question before the full budget announcement, as the budget can move markets significantly.
The OBR have been quick to blame this on a “technical error”, but have now called in a cyber expert from the National Cyber Security Centre to help diagnose the issue, so it’s unclear how well they understand the problem.
While the full details will surely come out eventually, I think there’s a high probability the budget leaked due to how WordPress uploads work, and a misunderstanding of how a WordPress plugin can help secure assets – an entirely preventable problem.
When users upload files to WordPress, they’re placed in predictable locations. If I upload a file called “Budget.pdf” during November, this will be stored at /wp-content/uploads/2025/11/Budget.pdf. Unlike some platforms which add an unguessable hash, WordPress uses this user-supplied filename directly.
Additionally, WordPress does not have a concept of “private” uploaded files – as soon as a file is uploaded by a user, it’s considered public. If you can guess the URL, you can access the file as soon as it’s uploaded.
The OBR’s website uses WordPress, and the linked files are stored as uploads. They also seem to be using a plugin called Download Monitor, giving the same problem but with slightly different URLs for tracking. For example, the March forecast was: https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outlook_March_2025.pdf
The URL that the leaked outlook was published at in November then is easily guessable with the same format: https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outlook_November_2025.pdf
There’s strong evidence this exact method is how the analysis leaked on the OBR:
The BBC was able to access the PDF version of the OBR’s key report at 11:45 on Wednesday by replacing the word ‘March’ with ‘November’ in the web address of a previous edition.
How do you solve this problem?
On Altis, the enterprise hosting platform for WordPress, we built a system which enables full protected, private uploads using access controls in Amazon S3. When content is initially written, uploads are stored completely privately, requiring a temporary infrastructure provided signed URL to access. It’s only when users hit the “Publish” button that we also transition linked assets to public, allowing them to be accessed without a signed URL. Our customers regularly use this to publish financial results and market-moving news with confidence that their content won’t leak ahead of time.
In the OBR’s case, the underlying files appear to be protected by Download Monitor using Apache .htaccess files, preventing some forms of direct access. However, the dlm_uploads URLs are not protected further – while the Pro version of the plugin appears to have this functionality, it seems that they were not using it. Additionally, metadata for this could still leak through places that out-of-the-box WordPress makes “attachments” (upload metadata) available.
The OBR are not the only ones to get bitten by WordPress leaking data that was thought to be private. The Nobel Peace Prize winner also leaked through a similar method.
Organizations publishing critically important news like this need to take as many precautions as they can with how they handle this data, as it can shift markets and affect real people’s lives.
The best way enterprises using WordPress can do this is by moving to Altis, the WordPress-powered platform designed from the ground up for the enterprise. Only Altis addresses these problems at the root, by changing WordPress’ behaviour and implementing infrastructure protections to fit complex enterprise privacy and security requirements. With our deep knowledge of WordPress, and a team of experts including the co-founder of WordPress, there’s no better choice for your enterprise – that’s why we’re trusted by banks and global publishers to manage their sites.