If you don’t want to expose your WSDL, turn off HttpGetEnabled and remove metadata exchange (mex) endpoints
Jason Taylor, Prashant Bansode, Carlos Farre, Madhu Sundararajan, Steve Gregersen
Set the httpGetEnabled and httpsgetEnabled attributes to False on the serviceMetadata element, and remove any endpoints configured on your service implementing IMetadataExchange contracts.
This is especially important, after your clients are build and deployed and if you don’t expect any other clients to discover and use the WCF service. If the metadata is exposed, unwanted clients will be able to generate proxy files (e.g. using SvcUtil.exe)
and inspect potentially sensitive methods and parameters offered by the service.
The following configuration disables sharing service metadata:
<serviceMetadata httpGetEnabled="False" httpsGetEnabled="False"/>