If I access-control a post, are file attachments secure?
While posts can be access-controlled, file attachments are public to anyone who has the URL. This is important functionality for email blasts and other types of content that will often link to attachments, but this is counterintuitive for many users who expect the file attachments to have the same access control as the post they are attached to.
While most file attachment names would be impractical to guess, it is important that you do not put confidential, highly sensitive, or potentially damaging information on your website. Learn more about confidential information and your website.
How do I keep Google and other search engines from indexing my file attachments?
It is unlikely but possible that Google might index attachments on access-controlled pages. To tell Google (and other search engines) to not index the contents of your site files directory, system administrators may disable indexing of PDFs sitewide. Note that this will prevent indexing of all your site's PDF files.
This does not guarantee that users will not find these files, so confidential information should be further protected (for instance, with a PDF password) or not uploaded to this website.