What I don't understand is how is the cluster exposed to the public. Wouldn't a password be required to execute any command on my web server?
I'm using a forum software called XenForo, they provide a search which uses Elasticsearch. So the public uses this search to find post information. So I don't understand how I would not allow the public to use the search.
No because security is explicitly disabled, so no password is needed to do anything in your cluster.
Where are you running your cluster and how are you running it? What does your elasticsearch.yml looks like?
Just an example, assume that you are running an Elasticsearch instance on an ec2 on AWS, if this ec2 has an elastic ip associated to it to be able to receive request from the public internet and the security groups/acls are not correctly configured, your cluster may be exposed to the public internet.
I do not know this software, but it seems that it uses Elasticsearch to provide search functionality and the forum software should be able to talk with the Elasticsearch instance using a private IP address, you don't need to expose your elasticsearch, only the machine running the forum software should be able to access the elasticsearch instance.