Is it necessary to remove the wlwmanifest.xml file in WordPress?
Often when I find resources about XML-RPC vulnerabilities with respect to the xmlrpc.php file commonly found exposed on WordPress sites, I find alongside the recommendation to remove or block the xmlrpc.php file that it is also recommended to remove wlwmanifest.xml (Windows Live Writer Manifest link).
So far as I can tell wlwmanifest.xml does not offer up any WordPress version information, nor does it seem able to be leveraged for testing username/password credentials as xmlrpc.php does.Most of the content in the sources below states, in summary, "remove code if not using as it is unnecessary."
Can anyone shed some light as to why this file should also be removed/blocked? If this is not a security concern, is this just simply an optimization?
My best guess regarding the wlwmanifest.xml file is that it contains your admin URL.
For 99% of Wordpress sites, your admin URL is "/wp-admin" but some people prefer to change the default admin URL to hide their login page. This was a much more common practice years ago when hacking a WordPress site from the login page was a trivial matter. If you were to change your admin URL in such a way that this file continued to track it's location, then your attempt to hide it could be easily thwarted. Personally, I would not worry about hiding your login page to begin with. As long as you have proper brute force protection, keep things properly updated, and use a decent password (or better yet: 2-factor authentication) hiding your admin URL is both unnecessary and exposes a lot of potential for unwanted side effects.