Title: Avoid syncAttackData script tag in cached pages
Last modified: May 19, 2020

---

# Avoid syncAttackData script tag in cached pages

 *  [mingyeungs](https://wordpress.org/support/users/mingyeungs/)
 * (@mingyeungs)
 * [5 years, 11 months ago](https://wordpress.org/support/topic/avoid-syncattackdata-script-tag-in-cached-pages/)
 * I’m using Wordfence with WordPress fastest cache, and noticed that on some (cached)
   pages, there is this script tag `<script type="text/javascript" src="https://
   mydomain.com/?wordfence_syncAttackData=xxxxx" async></script>` inside the <head/
   > tag.
 * The script sometimes loads very slowly (>10 sec), and blocks the execution of
   some window.onload script.
 * Searching the forum I found [https://wordpress.org/support/topic/syncattackdata-query-parameters/](https://wordpress.org/support/topic/syncattackdata-query-parameters/),
   which said that this script “isn’t supposed to appear in the page source for 
   visitors…However, it can do that if your site is not able to make the call in
   the normal way.”.
 * So, what is needed for Wordfence to make calls in the ‘normal way’?
    Also, are
   there a way to absolutely prevent Wordfence from adding this script (and any 
   other script tag?) under all circumstances?
 * FYI, the site I’m dealing with is running:
 * – WordPress 5.4
    – Wordfence 7.4.6 – using the MySQLi storage engine mode [https://www.wordfence.com/help/firewall/mysqli-storage-engine/](https://www.wordfence.com/help/firewall/mysqli-storage-engine/)–
   inside Azure Webapp for Container [https://azure.microsoft.com/en-us/services/app-service/containers/](https://azure.microsoft.com/en-us/services/app-service/containers/)–
   using the default WordPress Docker image [https://hub.docker.com/_/wordpress/](https://hub.docker.com/_/wordpress/)–
   currently put behind .htpasswd password protection
 * Any help is appreciated!

Viewing 5 replies - 1 through 5 (of 5 total)

 *  [WFGerroald](https://wordpress.org/support/users/wfgerald/)
 * (@wfgerald)
 * [5 years, 11 months ago](https://wordpress.org/support/topic/avoid-syncattackdata-script-tag-in-cached-pages/#post-12865105)
 * Hey [@mingyeungs](https://wordpress.org/support/users/mingyeungs/),
 * Can you please try whitelisting your server IP and let me know if it helps? If
   it doesn’t, I’ll bump the developers for their thoughts.
 * Thanks,
 * Gerroald
 *  Thread Starter [mingyeungs](https://wordpress.org/support/users/mingyeungs/)
 * (@mingyeungs)
 * [5 years, 11 months ago](https://wordpress.org/support/topic/avoid-syncattackdata-script-tag-in-cached-pages/#post-12868464)
 * Dear [@wfgerald](https://wordpress.org/support/users/wfgerald/) ,
 * I tried adding the IP that our domain’s A record specified in the IP whitelist,
   but it doesn’t seem to make a difference. As our site is running across multiple
   instances (scale-out), I ain’t sure whether the IP entered is the “server IP”
   you’re referring to.
 * Some questions:
    1. How often should this script run? 2. What are the drawbacks
   if we remove the script from the website frontend (assuming we hack the plugin/
   disable it with hook)? 3. can we do it using a cronjob instead?
 * The loading time of this script is too unstable – while it has the “async” attribute
   which solve the blocking issue, it is still make the webpage appears as ‘loading’
   in the browser tab, which our client doesn’t accept.
 * Thank you very much for your help!
 *  [WFGerroald](https://wordpress.org/support/users/wfgerald/)
 * (@wfgerald)
 * [5 years, 11 months ago](https://wordpress.org/support/topic/avoid-syncattackdata-script-tag-in-cached-pages/#post-12877072)
 * Hey [@mingyeungs](https://wordpress.org/support/users/mingyeungs/),
 * Thanks for all of the information.
 * Can you send me a **Diagnostics** report so I can get a better overview of your
   environment? Please navigate to **Wordfence > Tools > Diagnostics**. Here you
   can select `SEND REPORT BY EMAIL`. Please include your WordPress.org username
   and update this thread after you’ve sent it.
 * Once I receive this I’ll bump the developers.
 * Thanks,
 * Gerroald
 *  [WFGerroald](https://wordpress.org/support/users/wfgerald/)
 * (@wfgerald)
 * [5 years, 11 months ago](https://wordpress.org/support/topic/avoid-syncattackdata-script-tag-in-cached-pages/#post-12877095)
 * Hey [@mingyeungs](https://wordpress.org/support/users/mingyeungs/),
 * Also, looking through other similar cases as a test can you switch to a WordPress
   default theme and visit those links? If those links return a blank page it may
   be a theme issue.
 * Please let me know.
 * Thanks,
 * Gerroald
 *  Thread Starter [mingyeungs](https://wordpress.org/support/users/mingyeungs/)
 * (@mingyeungs)
 * [5 years, 11 months ago](https://wordpress.org/support/topic/avoid-syncattackdata-script-tag-in-cached-pages/#post-12885407)
 * Hi [@wfgerald](https://wordpress.org/support/users/wfgerald/),
 * I’ve just `SEND REPORT BY EMAIL` with my username mingyeungs.
 * Regarding ‘switch to a WordPress default theme and visit those links’, I’m sorry
   but our client won’t let us make any changes to the site, as their management
   team is reviewing the site now.
 * If I visit “[https://mydomain.com/?wordfence_syncAttackData=xxxxxxx.xxxx&#8221](https://mydomain.com/?wordfence_syncAttackData=xxxxxxx.xxxx&#8221);
   with a browser using existing theme, it’s 50/50 chance seeing a blank page or
   seeing the website homepage (both with `200` as response code)
 * Btw, we’ve temporarily commented out Line 8427 `echo "<script type=\"text/javascript\"
   src=\"$URL\" async></script>";` in wordfenceClass.php, so that the management
   team won’t be put off by the script issue; and notice a side effect that the ‘
   complex’ attack block by the firewall is massively reduced (but still very high
   IMHO). As our site hasn’t been put to live yet, I don’t think we should be seeing
   any attack, or at least not that high?
    [⌊Screenshot-2020-05-25-at-12-42-48⌉](https://ibb.co/9vDTdbd)
 * Thanks,
    Ming

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Avoid syncAttackData script tag in cached pages’ is closed to new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

## Tags

 * [async](https://wordpress.org/support/topic-tag/async/)
 * [blocking](https://wordpress.org/support/topic-tag/blocking/)
 * [cache](https://wordpress.org/support/topic-tag/cache/)
 * [syncattackdata](https://wordpress.org/support/topic-tag/syncattackdata/)
 * [wpfc](https://wordpress.org/support/topic-tag/wpfc/)

 * 5 replies
 * 2 participants
 * Last reply from: [mingyeungs](https://wordpress.org/support/users/mingyeungs/)
 * Last activity: [5 years, 11 months ago](https://wordpress.org/support/topic/avoid-syncattackdata-script-tag-in-cached-pages/#post-12885407)
 * Status: not resolved