What the Heck is wpkg.org, and Why Are We Being Redirected to It?

Web users in Beijing and indeed around China are wondering what's up with their browsers, as many of them are complaining that visits to overseas sites are being automatically redirected to a site called wpkg.org (and in some cases ptraveler.com).

UPDATE 5/2: Authorities: WPKG.org Reroute Was an Overseas Hack

Prevailing theories say the redirect only happens when visiting sites that contain "Login with Facebook" or "Connect with Facebook" buttons (aka most of the sites in the known Western world). Facebook itself works normally (provided you are using a VPN).

"If Chinese users visit a page which has the 'Login with Facebook' or 'Connect with Facebook' button, Facebook's Javascript code gets replaced with Javascript that's loaded from wpgk.org or ptraveler.com," Mikko Hypponen, chief research officer at Finnish software security firm F-Secure, told Channel News Asia, saying the redirect has something do to with the Javascript on the page.

What's odd is that it seems that the redirect does not happen consistently on every page of every site, and sometimes there is a delay before the redirect. Using a VPN does not stop the weirdness, some users report.

There does not seem to be any significance of the sites that are receiving the redirects. WPKG is a website for an open source automated software deployment, upgrade, and removal program for Windows, while ptraveler is the personal travel blog of a young Polish couple.

Chinese users have noticed the redirect as well.

Users on our forum and on Reddit are reporting possible workarounds, with some suggesting that ad blocking software may be able to prevent the re-directs and others suggesting it might be a computer virus.

However, one computer expert said a virus can be ruled out because the redirects are platform- and device-independent and so far have only been reported in one geographic area (China). "A virus typically attacks only one platform, it wouldn't affect so many devices like that at the same time," he said.

Other theories include some sort of web malfunction, a hack, or some nefarious plan to prevent us Beijingers from getting updates from our hometown websites.

We'll keep you posted as the situation develops.

Image: Screenshot from wpkg.org


Wing Chun (咏春拳), the first Chinese martial art learned by the legendary Bruce Lee, is often best known for its principles of simultaneous attack and defense. This experience later inspired him to create his own style of “gong-fu” in the U.S., Jeet Kune Do (截拳道) – literally, “Way of the Intercepting Fist”. It appears that this philosophy of interception and redirected attacks has come back to roost in China in cyber form. China has been using DNS poisoning to redirect users attempting to access censored sites to legitimate sites it wants to take down via Distributed Denial of Service (DDoS) attacks.

Recently observed activity shows that the infamous censorship apparatus the Great Firewall of China (GFW – 中国防火长城) changed its method of redirecting users from sites deemed dangerous by the Chinese Communist Party (CCP). Previous to early January 2015, users within China trying to access restricted sites such as Facebook, Google, and Twitter were simply redirected to a block of IP addresses, many of which were nonexistent. After a short while, users would receive a timeout message or an error message saying the website was unavailable.

This form of DNS poisoning was fairly easy to route around, since the GFW used a small subset of IPs to redirect traffic; users quickly developed anti-poisoning tools[1] that recognized the few fake IP addresses and automatically circumvented the block. However, the new upgrade has adopted a new strategy: redirecting users to random real IP addresses. This makes it much more difficult for anti-censorship supporters to develop anti-poisoning tools, since the IPs are random and there are no discernable patterns. Around the same time, several of the most popular VPN services in China (which hundreds of thousands of business owners and academics use everyday to access sites like YouTube and Google) became unavailable as the Cyberspace Administration of China (CAC) appeared to tighten its grip on normal workarounds.[2]

Possibly more disturbing than the idea of China once again suppressing its masses with remarkable efficiency is what China has been doing with its newfound method of censorship. Early January 2015 reporting indicates that after the GFW was believed to have been upgraded, thousands of Chinese Internet users attempted to visit censored sites and were instead directed to a variety of sites.[3] In one case, the destination was a German pornographic site, something that would normally be outlawed in China as pornography is illegal.

Other “random” candidates included a government site in South Korea, an American firewall and security company, and a French digital freedom association, among countless others. It was confirmed on all victims except the South Korean government site that the traffic caused a DDoS attack as servers not normally prepared to handle that kind of traffic were suddenly pummeled with traffic redirected from China. Since hosting with DDoS protection like Cloudflare and Arbor Networks is often not yet affordable to many of these smaller sites, most of these system admins were left to deal with the massive problem on their own.[4] [5]

The sites mentioned above are particularly interesting as they each hold some interesting possibilities for what this DNS poisoning and DDoS combination can do. The South Korean government site shows the ability for China to potentially knock foreign government sites offline by simply redirecting traffic for a brief period and claiming a “glitch” caused the attack. This carries serious implications, especially if the DDoS attack is directed at an election site, which was a tactic CrowdStrike observed several times in 2014 and that had an impact on democratic elections. The DDoS attack on the American firewall company was also interesting as it shows the ability to gauge a security company’s response to attacks, possibly in advance of further cyber action against the security firm’s customers.

The most disturbing by far, however, is the attack against the French digital freedom site, as it shows the potential for China to not only censor its own citizens, but then also use them to censor other sites that advocate digital freedom[6] with DDoS attacks, in essence becoming a self-perpetuating censorship machine. With more than 632 million Chinese Internet users (CNNIC June 2014 estimate) and a censorship juggernaut capable of censoring the majority of that population, China has effectively turned the GFW into the largest botnet in the world. And like all good botnets, its host of “zombie users” are most likely blissfully unaware of their involvement in the attacks. This was reiterated as several of the DDoS victim sites voiced their feelings of frustration and helplessness in public blogs, only to have Chinese netizens respond by saying they felt “ashamed” that the attacks were connected to the GFW.

All of this comes on the heels of what appears to be a giant consolidation of power by the CAC and new head LU Wei (鲁炜).[8] This has manifested over the past several months with a December 2014 CAC takeover of the China Internet Network Information Center (CNNIC), which is a designated certificate authority. There were also several Man-In-The-Middle (MITM) attacks against mail users from Yahoo, Google, and Apple during late 2014, before another attack was carried out against Microsoft Outlook in January 2015 with some fairly damning evidence pointing the finger at the CAC provided by anti-censorship site GreatFire.org.[9] Finally, the crackdown on popular VPN services in late January 2015 indicates that this is a coordinated campaign to suppress and censor not just domestically, but overseas as well. China is no longer harnessing only an attractive, rapidly growing tech market as leverage over foreign countries and companies hoping to do business in China, but now also its own citizens.

The fact that the GFW sprang out of something called the “S219/Golden Shield Project” makes it clear this notion of simultaneous attack and defense suits China well, and that it will likely continue to use its existing strengths of a large population and the world’s most restrictive censorship apparatus to its advantage.

Turns out using a shield as a weapon isn’t just for Captain America anymore.

Thought it was a virus too. It's not.. Here's the solve which a colleague in my office showed me:

(you may need to translate the chinese)


Rock on!

WPKG redirect problem solved:


I have been having this problem all morning. I have found a fix here on Reddit:

Check out like45ninjas' response. Use an Adblocker extension in your web browser and block the following urls:



I recommend clearing your browser cache and restarting your Mac before checking if it is fixed.

Has worked for me so far.

My office is in Shanghai and all colleagues in my office facing same issue from yesterday. We got same issue even when we change proxy to Hongkong-based.

It is not virus. no virus can do this on so many computers which even we dont have admin permission on it.

And when i disable the javascript in my chrome browser, the redirect stoped. I will test like45ninjas's solution to filter below js when i got admin permission on my desktop. I believe it will work.



Quick solution for Chrome user without any add-on.

Go to Chrome - Setting menu - Privacy - Content Setting - JavaScript - Manage Exception, add two blocks for [*.]wpkg.org and [*.]ptraveler.com. Save it. Then the issue is gone.

BTW, also look out for this when accessing Facebook:

the text is:


This Connection is Untrusted

You have asked Firefox to connect securely to www.facebook.com, but we can't confirm that your connection is secure.

Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
What Should I Do?

If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.

www.facebook.com uses an invalid security certificate.

The certificate is only valid for the following names:
  *.hostgator.com, hostgator.com  

(Error code: ssl_error_bad_cert_domain)


and the names listed in bold frequently change

Books by current and former Beijinger staffers


this one working for me.. thanks for the solution...

Thanks for the input.

THis method did however not work for me, if WPKG appears randomly, a quick way to test if it has improved is vist www.imdb.com

I instantly get redirected from there.

Good luck guys!


I'm in China and have been experiencing this problem on all my devices. For the laptop, I just disabled javascript in my Chrome browser settings and not only am I NOT being redirected anymore, pages are loading almost instantly - it's like my internet is working much faster! I'm a layman, so I don't know if we NEED javascript, or what it does, but this has more than worked for me.

PS - the above solutions did not work for me, I tried blocking the sites through my chrome settings to no avail.

Add new comment