The Office for Budget Responsibility didn’t suffer a cyber-attack. It suffered something far more common and far more dangerous for British businesses.
A preventable, well-understood, WordPress-related security failure.
The OBR accidentally published its market-sensitive Budget forecast early because of two basic configuration errors, a vulnerable WordPress plug-in, and weak governance. Within minutes, the nation’s most important fiscal document was in the hands of journalists simply because someone guessed the URL and the system allowed it.
The OBR isn’t an eCommerce business but it is a live example of what happens when you use SME-grade tooling for business-critical, time-sensitive releases. Swap “Budget forecast” for “a sensitive product or pricing update” and the risk looks very familiar.
This wasn’t sophisticated. It wasn’t a breach by a hostile state. It was a default setup used by thousands of UK businesses every day.
And that’s the real problem.
A national-level failure caused by small-organisation tooling
The OBR runs its website outside the secure GOV.UK platform. Instead, it used an SME-grade WordPress system supported by a single external developer, a single point of failure for one of the country’s most sensitive publication workflows.
The investigation confirmed that a plug-in created public, guessable download links; it bypassed WordPress’s intended “hidden until publication” controls; the server allowed direct access to its file directory; and the URL structure was so predictable that journalists accessed the document simply by changing “March” to “November”. At least 32 people retrieved the file before the Chancellor even stood up.
Any eCommerce business relying on similar setups is exposed to the same risks, only the consequences will hit your revenue, not Westminster.
WordPress governance: the UK’s quietest cybersecurity crisis
This is not a one-off. Across the UK, major businesses have been caught out by misconfigured systems, outdated plug-ins, and platforms that weren’t designed for today’s security landscape.
Patchstack’s State of WordPress Security 2025 report found 7,966 new WordPress vulnerabilities disclosed in 2024, about 22 every day, and 96% of them came from plug-ins rather than the WordPress core. These are coding mistakes, configuration failures, and architectural weaknesses, not targeted intrusions.
Several widely used plug-ins disclosed in 2025 contained unauthenticated access bugs, file exposure issues, and directory traversal flaws - the same category of technical failure that exposed the OBR. WordPress still powers around 43% of the entire web, according to WPZoom, which makes it the single biggest target surface for scanning and exploit development. If there’s a misconfiguration, it will be found.
We’re also seeing this shift up close. Enquiries to move away from WordPress have risen sharply across our client-facing teams over the past 12 months, not for new functionality, but because businesses are no longer comfortable carrying the risk that comes with a plug-in-heavy, self-hosted platform.
WordPress is not the problem. WordPress in the wrong context is.
For SMEs, WordPress can be perfectly adequate. For businesses handling high-value transactions, sensitive data, or high-traffic events, it’s a different story.
The OBR incident highlights the same governance failures we see across mid-market and enterprise commerce: unverified assumptions, plug-in sprawl, and single points of failure. Your site, your customers, and your revenue deserve infrastructure built for modern security standards, not repurposed blogging software held together by dozens of add-ons.
If the OBR can get caught out, so can any eCommerce business
Imagine if the leak had been your new product range, a major price rise, a promotion, or the wholesale pricing model your competitors would love to see.
Your competitors would see it. Your customers would see it. Google would index it. Screenshots would spread in seconds.
The point is simple: if WordPress can accidentally expose the nation’s Budget, it can leak your next major commercial update just as easily. And unlike the OBR, you don’t get a parliamentary statement to explain it away, you get lost revenue, lost trust, and a compromised business.
Shopify and Peracto: platforms built for security, scale, and commercial reliability
Shopify and Peracto aren’t generic website builders. They’re commerce platforms engineered for businesses where uptime, performance, and security are non-negotiable.
They don’t rely on a patchwork of third-party plug-ins to deliver core functionality. The essentials: secure checkout, product management, customer accounts, hosting, CDN, performance optimisation and ongoing updates are built into the platform.
That means fewer moving parts, fewer opportunities for misconfiguration, no plug-in sprawl, and no dependency on a single developer to keep everything secure. Shopify delivers this as a fully hosted SaaS environment with enterprise-grade controls from day one. Peracto offers similar resilience for more bespoke or complex commerce needs, with governance, security, and deployments handled to modern standards.
These platforms are secure by design. WordPress is only secure if every component is configured, monitored, verified, and maintained. This is precisely where the OBR failed.
The OBR incident is a reminder that business-critical commerce requires platforms engineered for resilience, not assembled from general-purpose CMS tools.
Is your site secure?
If you’re running an eCommerce site on WordPress or relying on legacy infrastructure that has quietly grown risky, our specialists can help you understand your exposure and plan a safe transition to Shopify or Peracto.
Speak to our experts. Don’t wait for the leak to come from your website.