A minor political scandal erupted in the UK yesterday when a budget document was leaked earlier than intended. Details contained in the regular publication are kept secret in advance because they can trigger dramatic changes in national and international markets.
The problem appears to have been caused by a misunderstanding about how secure files stored in WordPress websites are. WordPress, at its core, is designed for simple content- and article-driven websites, but its functionality can be extended as needed through plugins or custom development. This is one of the great strengths of WordPress as a content management system: site owners can extend the basic functionality with practically no restrictions.
If you need to publish files at a specific time, or restrict access to certain content, the site must be technically extended to support those requirements.
The standard scheduling available to authors and content editors for articles and pages does not apply to files unless this functionality has been expressly implemented.
In this case, a file uploaded in March 2025 was available via the standard WordPress download path — for example, /wp-content/uploads/March_2025.pdf. This made it easy to guess the name of the updated report and download it simply by changing the month in the URL to “November”… which is exactly what a journalist achieved.
Technical safeguards should never rely on the knowledge of a content manager. Authors and editors must not expected to understand the inner workings of a website; instead, an experienced advisor or web agency like Say Hello must ensure that appropriate security features are properly implemented.
If you need to publish content at a specific time, or restrict access to certain users, the site must be technically extended to support those requirements.
I have implemented such protections many times, including for a local publishing company whose technical articles and downloadable PDFs must only be accessible to registered users. To ensure secure access, my solution blocks all direct PDF requests and routes them through a script that checks the user’s login status, refusing access when appropriate. By developing a bespoke (but inexpensive) solution, we ensured that content could not be scraped by unauthorised visitors.
If you need to restrict access to documents on your WordPress website — including PDFs, images or other media — feel free to get in touch to discuss how we can meet your security requirements.
