There are a few writers who I follow religiously, and one is Matt Levine of Bloomberg’s Money Stuff. For business and finance it’s one of the smartest and funniest things you can read. Yesterday, I think for the first time, he mentioned WordPress! In the context of his quote on this great X thread about how the Polymarket insider predicted the Nobel peace prize winner.
This trader apparently didn’t have inside information, in the traditional bad sense of like bribing a Nobel committee staffer. Instead, web scraping:
“The Nobel site runs on WordPress. Like many WordPress setups, it has an XML sitemap that lists every indexable page, even ones not yet public. If someone were monitoring this sitemap, they could easily notice a new page appear, something like “http://nobelprize.org/prizes/peace/2025/machado/facts/”
If you run a WordPress site and want the best advice in the world for how to avoid this sort of thing, I highly recommend our enterprise WordPress VIP service! They help run some of the largest and most secure WordPress sites in the world, and could easily help navigate avoiding something like this from happening. WordPress is easy and cheap to run everywhere, even on a Raspberry Pi, but you get what you pay for, and any serious organization or mission-critical website should be on VIP.
“It has an XML sitemap that lists every indexable page, even ones not yet public.”
I don’t think that’s correct, pages and posts only appear in their respective sitemaps after they’re published, not while they’re still drafts.
Later in the article, the real reason it was discovered seems to be mentioned: through an image sitemap. It’s worth noting that WordPress doesn’t include image sitemaps out of the box, so this must have been generated by a plugin. I assume the plugin adds uploaded images to the sitemap immediately, even before the page or post that uses them is published. That’s probably why it was discovered.
Either that or someone guessing filenames.
Fascinating how a simple sitemap detail can reveal so much. A great reminder that small oversights in WordPress setups can have massive consequences especially for high-profile sites.