WordPress 6.4 actually doesn’t disable attachment pages

Attachment pages are one of the most confusing and misunderstood features in WordPress. Many people don’t get what is the purpose of a feature where the content management system creates a page for each of the images uploaded to the site. The only purpose of this attachment page is that is displays the image in the page template.

An image created by Bing AI with the prompt: wordpress plugin, attachment page, paperclip, minimalistic, 3d, drop shadow

As someone who has developed the plugin Disable Media Pages with the express purpose of disabling these unneccessary attachment pages in WordPress, I was excited to learn that WordPress 6.4 has disabled them by default.

As of WordPress 6.4, attachment pages for new WordPress installations are fully disabled.

Until WordPress 6.4 was released, WordPress created attachment pages by default for every attachment uploaded. On the vast majority of sites, these attachment pages don’t add any meaningful information. They do, however, exist, get indexed by search engines, and sometimes even rank in search results, leading to bad results for users and site owners.

Changes to attachment pages, wordpress.org

However, while testing out this new feature in WordPress 6.4 and figuring out what it means for my plugin, I noticed few issues in the implementation.

Redirects, not 404s

First, just like some plugins like Yoast SEO that provide this feature, WordPress 6.4 will redirect the attachment URLs to the image file. So, if you upload an image called example.jpeg, an attachment page for that image will be created at http://example.com/example . If you visit this page in a WordPress installation where attachment pages are disabled (meaning a fresh installation or one where wp_attachment_pages_enabled has been set to 0 by hand) you will be redirected to http://example.com/wp-content/uploads/example.jpeg . I guess that’s one way of fixing the issue but in my opinion it would be better to return a 404 HTTP code and show the 404 template, which is what my plugin does.

Reserved slugs

Even if you have attachment pages disabled, following the previous example, WordPress will still reserve the slug example for this particular attachment page so that the redirection works. If you ever want to create a page called Example, the slug for that will be example-2 which is not very nice. Disable Media Pages also handles this case by generating random slugs for attachments so they do not collide with page slugs.

It would be nice if attachments are disabled in WordPress core, the rewrite rules regarding them would be removed completely to remove all traces of attachment pages.

It only works for logged-in users

Anyway, these are just mild annoyances regarding the implementation details. The real issue with this feature is that attachment pages are only disabled for users that are logged in.

Following the previous example, if you are logged in to WordPress and visit http://example.com/example you will be correctly redirected to http://example.com/wp-content/uploads/example.jpeg.

However, if you are an anonymous user like a normal website visitor or a search crawler, visiting http://example.com/example will show you the attachment page, even if it’s supposed to be disabled.

The rationale for disabling these pages was that they are confusing and will get indexed by search engines. So, the fact that these pages are only disabled when you are logged in completely defeats to purpose of this feature. It seems like this change was pushed to the new release without sufficient testing and it would not be the only change in WordPress 6.4 that was not tested properly.

How to fix the issue?

So, what causes the issue with attachment pages? Looking at the code, it seems this is because read_post capability is checked before the redirection is performed. Because anonymous users don’t have any capabilities, the redirection work in this case. The code should be changed so that this capability is checked only for attachments that are private.

I have reported this issue on WordPress bug tracker and it will be hopefully fixed in a future release of WordPress 6.4. In the meantime, if you are looking to disable attachment pages in a way that works reliably, I can recommend my Disable Media Pages plugin which is available in the WordPress plugin directory. It also works in WordPress 6.4!

2024-01-30 Update

WordPress 6.4.3 was released on 2024-01-30 and this version fixes the bug where logged-out users can still access the attachment pages. Now these pages are directed to the media file for both logged-in and logged-out users. Excellent work from the WordPress team in fixing this bug!

I still recommend using the Disable Media Pages plugin if you want more control over the attachment pages, real 404 response codes instead of redirects and you don’t want attachments to accidentally reserve slugs from page names.