WordPress sites are crawled by bots from various search engines and unfortunately this allows them access to documents/files that have been uploaded to a WordPress site without actually having to sign into password protected pages containing links to these files. 

The password protected pages themselves are not crawled. Instead the issue is with the uploads folder, which is not protected, can be crawled and indexed by Google and other search engines.

There are plugin options offered by WordPress developers intended to protect documents/folders in WordPress, but at this time none of them have been approved for use in our hosted WordPress environment.

See: How to install plugins - for a list of approved plugins and details on our approval process.

Because of this, we recommend moving all sensitive documentation to Google or Dropbox.

These services allow you to create links to your documents which can be safely included on your password protected pages in WordPress.
This way no one, without an appropriate login to your password protected pages, will be able to access the links or content unless they are posted on an unprotected page or crawlable site.