Remove the Windows Live Writer manifest link that WordPress adds to every page’s HTML header. Windows Live Writer was a desktop blogging application that Microsoft discontinued in 2017. WordPress still includes a <link> tag in the <head> section of every page pointing to the WLW manifest file. Nobody uses it anymore. But the tag is still there, pointing to wlwmanifest.xml – a WordPress-specific file that confirms your CMS to any scanner reading the source. One toggle removes it.
What Is the WLW Manifest Script?
The WLW Manifest is a reference to Windows Live Writer, a desktop application from Microsoft that allowed users to write and publish blog posts to WordPress (and other platforms) without opening the browser. To support this, WordPress adds a link tag in your page header:
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://yourdomain.com/wp-includes/wlwmanifest.xml" />This tag points to an XML file in the /wp-includes/ directory that describes your site’s capabilities for Windows Live Writer. The application was discontinued by Microsoft in 2017 and is no longer maintained. Its spiritual successor, Open Live Writer, has minimal adoption. Virtually no one uses either application today. But WordPress still adds the manifest link to every page by default.
Why You Should Remove the WLW Manifest
This is one of the easiest WordPress fingerprints to remove. Here’s why it matters for your hack prevention strategy:
It’s a WordPress-exclusive identifier. The wlwmanifest.xml file and the application/wlwmanifest+xml MIME type are unique to WordPress. No other CMS includes this tag. Scanners and theme detectors check for it as a fast, reliable WordPress confirmation. One tag, one instant identification.
It exposes the wp-includes path. The manifest URL includes /wp-includes/, which is a core WordPress directory. Even if you’ve changed the wp-includes path, the WLW manifest link may still reference the original or reveal the directory structure. Removing the link eliminates this exposure entirely.
It serves zero purpose. Windows Live Writer is discontinued. The manifest file describes capabilities for a dead application. The link tag loads on every page for every visitor, adding a line to your HTML header that nobody will ever use. There is no downside to removing it.
How to Hide WLW Manifest Scripts
- Go to WP Ghost > Tweaks > Hide Options.
- Switch on Hide WLW Manifest Scripts.
- Click Save to apply.
After saving, open your site in a private browser window and view the page source. Search for wlwmanifest – it should not appear anywhere in the HTML.
Frequently Asked Questions
Does anyone still use Windows Live Writer?
Effectively no. Microsoft discontinued Windows Live Writer in 2017. Open Live Writer, an open-source fork, exists but has very limited adoption. If you’re not actively using either application to publish posts to your WordPress site (and you’d know if you were), you don’t need the WLW manifest. Disable it.
What’s the difference between WLW Manifest and RSD?
Both are legacy discovery mechanisms. The WLW manifest tells Windows Live Writer about your site’s capabilities. RSD (Really Simple Discovery) tells remote publishing clients where to find your XML-RPC endpoint. Both are WordPress-specific and both should be disabled for maximum CMS concealment. WP Ghost handles RSD removal in the REST API and XML-RPC tutorial.
Does this affect SEO?
No. The WLW manifest link is not used by search engines for crawling, indexing, or ranking. Removing it has zero SEO impact.
Does WP Ghost modify WordPress core files?
No. WP Ghost removes the WLW manifest link tag from the HTML output through WordPress hooks. The wlwmanifest.xml file still exists in your wp-includes directory but is no longer advertised in the page source. Disabling the feature restores the link tag instantly.
Related Tutorials
Remove all legacy and unnecessary WordPress signals:
- Change the REST API Path – Disable RSD, the other legacy discovery mechanism.
- Disable XML-RPC Access – Block the protocol WLW used for remote publishing.
- Disable Embed Scripts – Remove another unnecessary frontend script.
- Hide WordPress Emoji Icons – Remove the Twemoji library from every page.
- Hide from WordPress Theme Detectors – The complete guide to defeating CMS scanning tools.