Posts set to 'private' and password protected should return a 403 HTTP header status

[jonoaldersonwp]

These currently output a 200 status, which may result in search engines and external agents indexing them.

If the user doesn't have access permissions, a 403 header status should be returned.

[earnjam]

Private returns a 404. See #23407

Based on the screenshot I think you specifically mean password protected pages?

[jonoaldersonwp]

Ah, yes. Good clarification, ty.

[Presskopp]

@jonoaldersonwp what do you say to

I disagree with this specifically - privately published posts should not be "known" to anybody who shouldn't have access. Returning a 403 instead of 404 would make it known.

by @helen (https://core.trac.wordpress.org/ticket/29829#comment:2)

and

Private is not meant to be "you need an account" private. It is meant to be "it doesn't exist" private. Let's not tip our hats with a 403.

by @nacin (https://core.trac.wordpress.org/ticket/23407#comment:4)

[Presskopp]

If 403 or 404, but surely not 200

[Presskopp]

Rethinking this, it seems like the 404 for private is perfectly fine, only the 200 for password protected not. Patching to 403 therefore. I assume the patch could be more elegant, but I'm happy I made it so far.