Whatever the misconfiguration there's a simple, catch-all remedy. Don't upload it until it's due for publication. However predictable the URL, if it isn't there it can't be found.
UK gov blames budget leak on misconfigured WordPress plugin, server
WordPress is the world's most popular content management system, but not so much with the UK government. The country's Office for Budget Responsibility (OBR) has blamed an inadvertent budget disclosure last week on misconfiguration of its WordPress website. The snafu, first reported by Reuters, roiled UK markets, elicited …
-
Monday 1st December 2025 22:37 GMT Nate Amsden
perhaps not practical for everyone
I opened a new WordPress site to the world a week ago, https://cultofthe.cloud/ "Revealing the staggering level of (often times wilful) ignorance regarding hyperscale public cloud IaaS adoption". Been pimping the site on LinkedIn since.
But the main point is my site is pretty simple just 12 pages and some images. I thought about security being a bit paranoid, trying to limit plugins to bare minimum.
I decided to put a whitelist of urls in my apache config so if you're not coming from a specific internal IP space you can only access a short list of urls(any attempts to get other urls are redirected to an error page using rewrite rules), and can only submit GET requests on most of them. At first I was only interested in locking down the admin interface then realized I could probably lock it down entirely. Works pretty well.
Add to that I did decide to use a cache accelerator plugin(forgot the name) basically caches the content in static HTML files to serve up instead of dynamically generated stuff.
-
-
Monday 1st December 2025 23:57 GMT Lon24
Re: Really?
The OBR head honcho has resigned. I guess others were using this as an excuse to get rid of him.
It was a stupid error made by an unthinking and probably low paid underling. Frankly board level folks wouldn't have a clue what a url is. The Website manager should. That's where the buck should have stopped and they be invited to leave the building pronto.
-
-
Tuesday 2nd December 2025 12:22 GMT Anonymous Coward
Re: Really?
I've written a couple of Wordpress plug-ins a few years back and the architecture to hook them into the system felt like a real mess to me - IIRC everything is always pulled in for every request whether or not it's needed and it seemed like there would be all kinds of interesting ways for plugins to interact unexpectedly if everyone involved wasn't very careful.
-
-
Tuesday 2nd December 2025 01:57 GMT Anonymous Coward
Embargoed content
I’ve lost track of the number of embargoed items I’ve been asked to publish.
It’s really not that difficult to manage, even if you’re only trusted with the content at the last minute.
Prepare. Test. Hold. Wait. Release. Test.
The biggest drama is usually the flurry of phone calls at the appointed release time.
“Yes, yes, I’m doing it right now, you’ve just slowed the process up” (rinse and repeat)
-
This post has been deleted by its author
-
-
This post has been deleted by its author
-
Tuesday 2nd December 2025 11:32 GMT Anonymous Coward
Re: Illegal
I suggest you "read the law" and also check your statements before publishing them.
No the BBC have not "admitted their journalist guessed" the URL. The BBC confirmed their journalist was able to access the document using the URL that was being circulated by virtue of someone else having guessed it.
I don't believe you will be able to provide any evidence to back up your claim that modifying a URL in that way is illegal. Nobody to my knowledge has ever been <u>successfully</u> charged in doing so . There have been attempts at charging such people which have failed, and there have been successful prosecutions of people who've done this but specifically for what they did <u>after</u> having done so.
The UK labour market analysis for November is available at https://www.ons.gov.uk/employmentandlabourmarket/peopleinwork/employmentandemployeetypes/bulletins/uklabourmarket/november2025.
I've no idea when the December analysis will be published but it is farcical for you to suggest that it is "technically illegal" for me to change "november" to "december" in the above.
-
-
Tuesday 2nd December 2025 13:30 GMT I ain't Spartacus
Re: Illegal
It's very unlikely to be illegal to have. But it might be illegal to use?
If you're a journalist, you're doing journalist things - then happy days. You just got a scoop.
If you're a trader - then you might be considered to be using insider information. However I'd suspect your lawyers will argue that the data was published online (by the government no less), and so you used publicly available information - so not insider dealing. Unless there's some conspiracy where an insider deliberately messes up security to give someone else plausible deniability - bloody hard to prove - I can't see anything coming of this.
-
Tuesday 2nd December 2025 14:50 GMT Jellied Eel
Re: Illegal
Unless there's some conspiracy where an insider deliberately messes up security to give someone else plausible deniability - bloody hard to prove - I can't see anything coming of this.
Maybe there will, now dear'ol goverment has decided to end jury trials for financial crimes. But-
It is not known what, if any, action was taken as a result of this access and there is no evidence at this stage of any nefarious activity arising from it."
The market seemed to start moving in ways that you'd not expect, if they'd simply been following along with Reeves.. Which suggests some market players did get early access and acted on that information. Which probably can't be prosecuted given the OBR kinda published the doc, even though they weren't supposed to. So then like you say, if there was an OBR insider who used the error to leak the report and make some money in the process, which might be hard to prove.
-
Wednesday 3rd December 2025 07:23 GMT W.S.Gosset
Re: Illegal
>goverment has decided to end jury trials for financial crimes
Errr... what? No. Not "financial". Lammy/Labour is looking to ram through: ANYTHING 3 years prison or less.
So that includes sexual assaults, stalking, sharing indecent images, and --critical for Labour-- posting awkward facts or opinions on the internet.
Worth noting re the latter (12,000 a year in 2023, before Labour wound the volume right up to psycho territory) that, say, if the Civil Service or Labour decides that DigitalID is so important to the govt's objectives that govt IT must not be criticised, that just the last coupla days of ElReg stories plus forums would see at least one Register employee (possibly 2) plus multiple commentards fall foul of the current misinformation laws and be liable to arrest & trial without a jury for multi-year jail time.
(Juries are currently NotGuilty'ing/TheLaw'sAnAss'ing people on such charges at over twice the rate of judges.)
-
-
-
-
-
Tuesday 2nd December 2025 16:00 GMT HellDiverUK
If OBR is like the rest of uk.gov, then it'll be horribly understaffed with high churn. Person publishing the files probably was doing it for the first time, with scant notes from their predecessor, who also had only done it once or twice. Chinese whispers sort of thing.
I'm a civil servant in post for over 20 years, and there's stuff I do once a year and I've forgotten how to do it by the time it rolls round, as I've so much other mudane nonsense to do the rest of the year.
-
Wednesday 3rd December 2025 01:43 GMT Roland6
>” and there's stuff I do once a year and I've forgotten how to do it by the time it rolls round, as I've so much other mudane nonsense to do the rest of the year.”
That’s how accountants make their money, doing annual company house and HMRC submissions because business people forget and it’s easier to pay someone else than to spend time relearning…
-
Biting the hand that feeds IT
