Make WordPress Core

Opened 5 years ago

Last modified 12 months ago

#46296 new defect (bug)

Posts set to 'private' and password protected should return a 403 HTTP header status

Reported by: jonoaldersonwp's profile jonoaldersonwp Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version:
Component: Posts, Post Types Keywords: seo has-patch
Focuses: Cc:


These currently output a 200 status, which may result in search engines and external agents indexing them.

If the user doesn't have access permissions, a 403 header status should be returned.

Attachments (1)

46296.diff (429 bytes) - added by Presskopp 12 months ago.

Download all attachments as: .zip

Change History (6)

#1 @earnjam
5 years ago

Private returns a 404. See #23407

Based on the screenshot I think you specifically mean password protected pages?

#2 @jonoaldersonwp
5 years ago

  • Summary changed from Posts set to 'private' should return a 403 HTTP header status to Posts set to 'private' and password protected should return a 403 HTTP header status

Ah, yes. Good clarification, ty.

#3 @Presskopp
12 months ago

@jonoaldersonwp what do you say to

I disagree with this specifically - privately published posts should not be "known" to anybody who shouldn't have access. Returning a 403 instead of 404 would make it known.

by @helen (


Private is not meant to be "you need an account" private. It is meant to be "it doesn't exist" private. Let's not tip our hats with a 403.

by @nacin (

#4 @Presskopp
12 months ago

  • Keywords needs-patch added

If 403 or 404, but surely not 200

#5 @Presskopp
12 months ago

  • Keywords has-patch added; needs-patch removed

Rethinking this, it seems like the 404 for private is perfectly fine, only the 200 for password protected not. Patching to 403 therefore. I assume the patch could be more elegant, but I'm happy I made it so far.

12 months ago

Note: See TracTickets for help on using tickets.