13

Often when I find resources about XML-RPC vulnerabilities with respect to the xmlrpc.php file commonly found exposed on WordPress sites, I find alongside the recommendation to remove or block the xmlrpc.php file that it is also recommended to remove wlwmanifest.xml (Windows Live Writer Manifest link).

So far as I can tell wlwmanifest.xml does not offer up any WordPress version information, nor does it seem able to be leveraged for testing username/password credentials as xmlrpc.php does.

Most of the content in the sources below states, in summary, "remove code if not using as it is unnecessary."

Can anyone shed some light as to why this file should also be removed/blocked? If this is not a security concern, is this just simply an optimization?

Thank you!

Sources (that suggest removal/block of wlwmanifest.xml):

jonroethke
  • 1,006
  • 2
  • 7
  • 21

3 Answers3

9

There's no point in removing it. It's a static file with information on how Windows Live Writer can talk to wordpress.

Discovering that you're running wordpress is usually rather trivial, so nothing much is revealed by this file either.

When it comes to securing WP, focus on staying up to date, via automatic patching.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
  • The one link above suggests that by leaving it, someone could write a PHP header that includes it. What's the risk if that happens? – schroeder Apr 03 '20 at 21:41
  • I would guess none. It's a static file. They could as well include it from a remote uri anyway – vidarlo Apr 03 '20 at 21:49
  • It does show the admin url though... – tread Apr 14 '20 at 06:58
  • I am filled with 404 log of `wlwmanifest.xml` simple PHP+static HTML website. :-( How to stop such resource suckers? – Vishal Kumar Sahu Sep 25 '20 at 21:02
  • @stephen WP admin url is so well-known that it does not change anything if it is listed there. Just add `/wp-admin/post.php?id=whatever` to your host and you have it. :-) Maybe, if you are trying to rename `wp-admin` to something else to hide it, then it would be an issue. – dakur Feb 22 '21 at 12:11
5

Some vulnerability scanning scripts check for the existence of this file in order to detect if Wordpress is installed. Thus having the file will draw more attention to your Wordpress install.

Assuming there is an as yet unknown vulnerability in your Wordpress or associated plugins, then having this file installed will draw attention to your wordpress installation.

Removing it makes it a tiny bit less likely that your wordpress install will be exploited.

Jay
  • 151
  • 1
  • 3
  • That is true. On the other side, Wordpress exposes its existence by having **all** assets in public `wp-` prefixed folders (e.g. `wp-content`), so deleting `wlwmanifest.xml` does not mean much if you do not rename these folders as well. – dakur Feb 22 '21 at 12:08
  • This is correct. I manage a server *without wp on it* and our 404 records are filled with the manifest. – Dr Rob Lang Sep 14 '21 at 07:53
1

My best guess is that it contains your admin URL.

<adminUrl>
<![CDATA[ {blog-postapi-url}/../wp-admin/ ]]>
</adminUrl>

For 99% of Wordpress sites, your admin URL is "<your-domain>/wp-admin" but some people prefer to change the default admin URL to hide their login page. This was a much more common practice years ago when hacking a WordPress site from the login page was a trivial matter. If you were to change your admin URL in such a way that this file continued to track it's location, then your attempt to hide it could be easily thwarted.

Personally, I would not worry about hiding your login page to begin with. As long as you have proper brute force protection, keep things properly updated, and use a decent password (or better yet: 2-factor authentication) hiding your admin URL is both unnecessary and exposes a lot of potential for unwanted side effects.

Nosajimiki
  • 1,799
  • 6
  • 13