I’m noticing repeated HTTP requests like GET //wp-includes/wlwmanifest.xml and similar WordPress-related paths in my server logs, even though I don’t use WordPress. The source shows as localhost due to Nginx.
Why would someone or something be scanning for wlwmanifest.xml? Is this part of an automated probe for vulnerable WordPress installations or something else related to wlwmanifest.xml?
Yeah, I’ve seen those exact same requests in my logs, even on non-WordPress servers.
It’s almost always bots or automated scanners looking for exposed WordPress endpoints like wlwmanifest.xml, xmlrpc.php, or wp-login.php.
They’re checking if your site is running WordPress so they can target known vulnerabilities.
If you’re not using WordPress, it’s safe to ignore or block those with Nginx rules or a firewall.
I added a basic rate limit on 404s to cut down on the noise.
@sakshikuchroo This happened to me on a Django site!
I had dozens of GET requests targeting different WordPress paths, all failing with 404s.
Turns out it was just part of an automated reconnaissance tool scanning the internet.
These tools try paths like /blog/wp-includes/wlwmanifest.xml, /site/wp-admin/, and so on, hoping to find an old or poorly configured WP install.
I ended up setting up alerts for repeated 404s on specific patterns like wlwmanifest.xml so I could watch for abuse without blocking harmless traffic.
While most of these are bots scanning for WordPress, I actually had a case where a marketing tool we used was probing URLs to check for blog integrations, it tried some of these paths assuming WordPress might be in use.
But yes, wlwmanifest.xml is associated with Windows Live Writer and older XML-RPC blogging APIs, so it’s a telltale sign the bot’s checking for WordPress.
I’ve added some dummy redirects just to reduce log clutter and avoid raising security flags unnecessarily.