Certain urls pulling up index.php and generating single.php posts, should they?

Urls such as “mysite.com/?attachment_id=2458” are generating posts visible to the public.. if they were to guess that ID.

Typing “/?attachment_id=” will go to our index.php template (aka our empty blog that I want hidden). Typing “/?attachment_id=2458”, where 2458 is the ID of a photo I have uploaded, will generate a single post using my single.php template. Typing a random id that does not exist (/?attachment_id=1111) will return a 404, as it should.

This behavior is not exclusive to “?attachment_id”… “?taxonomy=” and some other urls being generated by a calendar plugin I have, such as “?tribe_venue=” and “tribe_organizer=”, are pulling up index.php. Just as above,“?tribe_venue=NewOrleans” and “tribe_event=MardiGras” will generate posts using my single.php if “NewOrleans” and “MardiGras” are info I had entered into my calendar.

Some other wordpress sites I visit seem to also pull up the blog if I type “theirsite.com/?taxonomy=”, but some others do not. Is this an option I can turn off?

Troubleshooting: It does this with both default and Prettylinks enabled, my .htaccess file is correct, and I have disabled all my plugins which don’t seem to be the issue.

I am wondering if this is normal behavior but cannot figure out why wordpress would allow people to guess urls and generate posts like this. Most importantly I don’t want “/?taxonomy=” or “?attachement_id=” pulling up our blog template.

Temporary solution: I have replaced index.php and single.php with my 404 template and done some 301 redirects as a temporary fix, any idea how to stop this from happening altogether?

I would rather not post my site’s url, if anybody thinks they can help but needs to see my site I could possibly send it privately.