Remove the Windows Live Writer manifest link that WordPress adds to every page’s HTML header. Windows Live Writer was a desktop blogging application that Microsoft discontinued in 2017. WordPress still includes a <link> tag in the <head> section of every page pointing to the WLW manifest file. Nobody uses it anymore. But the tag is still there, pointing to wlwmanifest.xml – a WordPress-specific file that confirms your CMS to any scanner reading the source. One toggle removes it.
The WLW Manifest is a reference to Windows Live Writer, a desktop application from Microsoft that allowed users to write and publish blog posts to WordPress (and other platforms) without opening the browser. To support this, WordPress adds a link tag in your page header:
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://yourdomain.com/wp-includes/wlwmanifest.xml" />This tag points to an XML file in the /wp-includes/ directory that describes your site’s capabilities for Windows Live Writer. The application was discontinued by Microsoft in 2017 and is no longer maintained. Its spiritual successor, Open Live Writer, has minimal adoption. Virtually no one uses either application today. But WordPress still adds the manifest link to every page by default.
This is one of the easiest WordPress fingerprints to remove. Here’s why it matters for your hack prevention strategy:
It’s a WordPress-exclusive identifier. The wlwmanifest.xml file and the application/wlwmanifest+xml MIME type are unique to WordPress. No other CMS includes this tag. Scanners and theme detectors check for it as a fast, reliable WordPress confirmation. One tag, one instant identification.
It exposes the wp-includes path. The manifest URL includes /wp-includes/, which is a core WordPress directory. Even if you’ve changed the wp-includes path, the WLW manifest link may still reference the original or reveal the directory structure. Removing the link eliminates this exposure entirely.
It serves zero purpose. Windows Live Writer is discontinued. The manifest file describes capabilities for a dead application. The link tag loads on every page for every visitor, adding a line to your HTML header that nobody will ever use. There is no downside to removing it.
After saving, open your site in a private browser window and view the page source. Search for wlwmanifest – it should not appear anywhere in the HTML.
Effectively no. Microsoft discontinued Windows Live Writer in 2017. Open Live Writer, an open-source fork, exists but has very limited adoption. If you’re not actively using either application to publish posts to your WordPress site (and you’d know if you were), you don’t need the WLW manifest. Disable it.
Both are legacy discovery mechanisms. The WLW manifest tells Windows Live Writer about your site’s capabilities. RSD (Really Simple Discovery) tells remote publishing clients where to find your XML-RPC endpoint. Both are WordPress-specific and both should be disabled for maximum CMS concealment. WP Ghost handles RSD removal in the REST API and XML-RPC tutorial.
No. The WLW manifest link is not used by search engines for crawling, indexing, or ranking. Removing it has zero SEO impact.
No. WP Ghost removes the WLW manifest link tag from the HTML output through WordPress hooks. The wlwmanifest.xml file still exists in your wp-includes directory but is no longer advertised in the page source. Disabling the feature restores the link tag instantly.
Remove all legacy and unnecessary WordPress signals:
Replace the default wp_ database prefix with a random one to protect against SQL injection…
Change the WordPress uploads directory path with WP Ghost (rewrite rules, no files moved) or…
Configure WP Ghost with WP Rocket cache. Enable file optimization, Change Paths in Cache Files.…
https://youtu.be/6ylhojSi-_E In this video, we’ll explore why website security matters and what can happen if…
The security of your WordPress site depends on multiple factors, such as the strength of…
Step-by-step guides to connect WP Ghost 2FA with Google Authenticator, Authy, Microsoft Authenticator, or LastPass.…