WordPress login redirect loop means you enter valid credentials, but instead of reaching the dashboard, WordPress keeps sending you back to the login page or into an endless redirect. In most cases, the cause is not your password. It is a cookie problem, bad site URL settings, a plugin conflict, broken redirect logic, or a reverse proxy and HTTPS mismatch.
This issue is common after migrations, SSL changes, plugin updates, cache problems, and reverse proxy setups. The fix is usually straightforward once you isolate whether the loop is caused by cookies, URLs, plugins, or server configuration.
Quick Fix
- Clear cookies for your WordPress site and try again.
- Open the login page in a private or incognito window.
- Check that
WordPress Address (URL)andSite Address (URL)are correct. - Disable caching, security, and redirect plugins temporarily.
- Restore the default
.htaccessfile if redirects may be broken. - Make sure HTTPS and reverse proxy settings match the real site URL.
- Disable the active theme or recent plugins manually if you cannot access wp-admin.
- Check whether the problem affects only
/wp-admin/or all logged-in areas. - Clear server, plugin, CDN, and browser cache.
- Review logs before changing multiple things at once.
What Is a WordPress Login Redirect Loop?
A WordPress login redirect loop happens when WordPress accepts the login request but does not keep the authenticated session properly. Instead of loading /wp-admin/, it redirects you back to wp-login.php, refreshes the same page, or throws a “too many redirects” error.
This is usually a session problem, not a credential problem. WordPress depends on login cookies to recognize that you successfully authenticated. If those cookies are blocked, mismatched, or invalid for the current site URL, the login state does not stick.
You may notice one or more of these symptoms:
- you log in, but return to the login page,
/wp-admin/opens briefly and then redirects out,- the browser shows ERR_TOO_MANY_REDIRECTS,
- the problem started after changing domain, SSL, or hosting,
- the site works in one browser session but not another.
Why WordPress Login Redirect Loops Happen
Most login loops come from a small number of causes. The trick is checking them in the right order.
1. WordPress Cookies Are Broken or Mismatched
This is the biggest cause.
WordPress uses cookies to track admin authentication and logged-in state. If the browser does not keep them correctly, or if WordPress sets them for the wrong domain or path, the login does not persist.
Typical causes include:
- stale browser cookies,
- cookies written for the wrong domain,
- cookies broken after site migration,
- incorrect HTTP/HTTPS handling,
- conflicting cookie definitions in custom code.
2. Site URL and Home URL Are Wrong
If home and siteurl do not match the real site address, WordPress can redirect logins incorrectly.
This often happens after:
- changing from HTTP to HTTPS,
- switching between
wwwand non-www, - moving the site to a new domain,
- putting WordPress behind a proxy or subdirectory.
If WordPress thinks the admin lives at one URL while the browser is using another, the login flow often breaks.
3. A Plugin Is Forcing Bad Redirects
Plugins that touch authentication, redirects, security, caching, or SSL are common suspects.
Typical examples:
- redirect plugins,
- security plugins,
- membership plugins,
- custom login plugins,
- caching plugins,
- SSL helper plugins.
One bad rule is enough to bounce the login back to itself forever.
4. .htaccess Rules Are Broken
Bad rewrite rules can create redirect loops before WordPress even finishes the login process.
This is more common after:
- manual redirect edits,
- security plugin changes,
- migration tools rewriting URLs,
- old redirects left behind after SSL changes.
5. HTTPS or Reverse Proxy Settings Are Wrong
This is a major cause on sites behind Cloudflare, NGINX reverse proxies, load balancers, or hosting proxies.
If the proxy terminates HTTPS but WordPress thinks the request is still HTTP, WordPress may keep forcing redirects. That often creates a login loop around /wp-admin/ or the login page itself.
6. Cached Redirects or Stale Browser State
Sometimes the real issue has already been fixed, but cache keeps the loop alive.
This can involve:
- browser cache,
- site cookies,
- WordPress cache plugins,
- server cache,
- CDN cache.
This is why private browsing is such a useful first test.
7. Theme or Custom Code Is Interfering with Login
Not every login loop comes from plugins. Themes and custom snippets can also break login redirects or cookies.
This is more likely if:
- the loop started after editing
functions.php, - the theme controls admin redirects,
- custom code forces HTTPS or user roles badly.
How to Fix WordPress Login Redirect Loop Step by Step
Work through these fixes in order. In many cases, one of the first three solves it.
1. Clear Cookies for the Site
Start here first. WordPress login depends on cookies, so bad cookie state is the most common reason the session does not stick.
Clear cookies for your domain, then close and reopen the browser. Do not just refresh the page.
If you are not sure whether the browser state is the problem, test the login in a private or incognito window before changing anything else.
2. Test the Login in a Private Window
This is one of the fastest diagnostic steps.
- If login works in private browsing, the issue is usually cookies or cached redirect state.
- If it fails there too, the problem is more likely in WordPress, plugins, or server configuration.
This step saves a lot of time.
3. Check WordPress Address and Site Address
Make sure the site uses the correct canonical URL.
Check:
- HTTP vs HTTPS,
wwwvs non-www,- main domain vs subdirectory path,
- proxy-facing URL vs origin URL.
If the values are wrong, WordPress may keep redirecting the login to the wrong location.
If you cannot access wp-admin, you can define them temporarily in wp-config.php:
define('WP_HOME', 'https://example.com');
define('WP_SITEURL', 'https://example.com');Use your real site URL, not a placeholder.
4. Restore the Default .htaccess File
If bad rewrite rules are involved, restoring the default WordPress rewrite rules often helps.
Back up the current .htaccess first. Then replace it temporarily with the default WordPress version:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPressThen test the login again.
If this fixes it, the old rewrite rules were likely responsible.
5. Disable Plugins Manually
If you cannot get into wp-admin, disable plugins through files.
Go to:
/wp-content/plugins/Then rename the entire plugins folder to something like:
plugins-disabledWordPress will deactivate the plugins automatically.
Now try logging in again.
- If login works, a plugin caused the loop.
- Rename the folder back and then disable plugins one by one to find the exact cause.
6. Switch to a Default Theme
If plugins are not the cause, test the theme.
Go to:
/wp-content/themes/Rename the active theme folder. If a default WordPress theme is installed, WordPress should fall back to it.
If the loop stops, the active theme or theme-level custom code is the likely culprit.
7. Check Reverse Proxy and HTTPS Handling
If the site sits behind Cloudflare, NGINX proxy, Apache proxy, or a load balancer, make sure WordPress knows the original request was HTTPS.
A common fix in proxied setups is to handle forwarded HTTPS correctly in wp-config.php:
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
$_SERVER['HTTPS'] = 'on';
}Use this only if your proxy actually sends that header correctly.
If WordPress believes the request is HTTP while the browser is on HTTPS, redirect loops are very common.
8. Clear All Cache Layers
After changing URLs, plugins, redirects, or proxy settings, clear all caches.
That includes:
- browser cache,
- site cookies,
- WordPress cache plugins,
- hosting cache,
- CDN cache.
Without this step, you may think the fix failed when you are only seeing stale redirects.
9. Review Security and Login Plugins
If the issue started after enabling a login, firewall, or membership plugin, inspect that plugin first.
Common failure patterns:
- forced redirects after login,
- bad role-based redirects,
- cookie enforcement,
- custom login URL conflicts,
- two-factor or session plugins misbehaving.
These plugins often break login without breaking the rest of the site.
10. Check Cookie Domain and Path Constants
Custom cookie-related constants can cause login loops if they are set incorrectly.
This is more likely if someone added or changed constants in wp-config.php during a migration, multisite setup, or subdirectory move.
If you see custom cookie domain or path definitions, review them carefully. Wrong cookie scope can stop WordPress admin authentication from persisting correctly.
11. Check for Mixed HTTP and HTTPS Settings
This is a classic cause.
Check whether:
- WordPress Address uses HTTPS but Site Address uses HTTP,
- the proxy serves HTTPS but origin still redirects to HTTP,
FORCE_SSL_ADMINwas enabled without correct proxy handling,- some login routes still point to the old scheme.
One mismatch is enough to trap the login flow in a loop.
12. Review Logs and Debug Output
If the issue still persists, use logs instead of guessing.
Check:
- web server logs,
- PHP error logs,
- WordPress debug log,
- security plugin logs,
- reverse proxy logs if applicable.
Look for repeated 302 redirects, cookie warnings, fatal errors, or plugin-level auth issues.
13. Use Recovery Mode If a Plugin or Theme Is Breaking Login
If the login loop is tied to a broader plugin or theme failure, WordPress recovery mode may help you regain access more safely.
This is especially relevant if the issue began right after an update and the site also shows other admin-side problems.
Advanced Troubleshooting
Compare Logged-Out and Logged-In Redirect Chains
Use browser developer tools to inspect the redirect chain.
Check whether:
- the login POST succeeds,
- the auth cookie is set,
- the next request reaches
/wp-admin/, - WordPress immediately redirects back to login again.
This tells you whether the real failure is in cookies, redirects, or auth state.
Test the Site on the Real Canonical URL Only
Do not mix variants while debugging.
Pick one canonical URL and use it consistently:
https://example.com- or
https://www.example.com
Trying both randomly during testing can hide the real cause if cookie domain scope is part of the issue.
Review Recent Changes First
Ask what changed before the login loop started.
- SSL setup changed,
- Cloudflare or reverse proxy enabled,
- domain changed,
- plugin updated,
- theme updated,
- .htaccess edited,
- caching plugin installed.
Most login loops begin right after one of those changes.
Check Multisite, Subdirectory, and Custom Admin Setups
Login loops are more likely on:
- multisite,
- subdirectory installs,
- domain-mapped environments,
- custom login URL setups,
- sites behind a reverse proxy or WAF.
These setups are more sensitive to cookie scope and canonical URL mismatches.
Verify That Caching Does Not Apply to Login Pages
Login and admin paths should not be cached like public pages.
If login pages or redirect responses are cached, the loop can persist even when the core issue is fixed.
Prevention Tips
- Use one canonical site URL consistently.
- Be careful when switching between HTTP and HTTPS.
- Clear cache after changing login, SSL, or proxy settings.
- Avoid running multiple redirect or login-management plugins at once.
- Test wp-admin after every migration and SSL change.
- Keep theme and plugin custom login logic minimal.
- Document reverse proxy and forwarded HTTPS handling.
- Do not leave old rewrite rules in place after URL changes.
The best prevention is simple: keep WordPress URL settings, cookies, redirects, and proxy behavior aligned with the real public URL of the site.
When to Contact Support
Contact your hosting provider if:
- the issue started after a migration,
- reverse proxy or SSL handling is unclear,
- server cache or proxy rules may be involved,
- you need access to logs or config you cannot change yourself.
Contact the plugin or theme developer if:
- the loop started after their update,
- the issue disappears when that plugin or theme is disabled,
- the product manages login, redirects, roles, or security.
Focus on WordPress-level troubleshooting if:
- private mode changes the result,
- clearing cookies helps,
- site URLs were changed recently,
- the problem is limited to wp-admin or login flow.
FAQ
Why does WordPress keep redirecting me back to the login page?
Usually because the login cookie is not being stored or recognized correctly, or because WordPress is redirecting between mismatched site URLs, plugins, or HTTPS rules.
How do I fix a WordPress login redirect loop fast?
Start by clearing site cookies, testing in a private window, checking the site URL settings, and disabling plugins manually if needed. Those steps solve most cases.
Can plugins cause a WordPress login redirect loop?
Yes. Redirect plugins, security plugins, membership plugins, cache plugins, and SSL helper plugins are all common causes.
Can HTTPS or Cloudflare cause a WordPress login redirect loop?
Yes. If WordPress, the proxy, and the public site URL disagree about HTTP vs HTTPS, the login flow can loop endlessly.
Will clearing cookies fix the WordPress login loop?
Sometimes, yes. Because WordPress login depends on cookies, clearing corrupted or stale site cookies is one of the best first fixes.
Final Thoughts
WordPress login redirect loop usually looks worse than it is. In most cases, the real problem is not the login form itself. It is cookies, URL mismatch, redirect rules, or a plugin or proxy setting that breaks the authenticated session.
Start with cookies and private browsing. Then check site URLs, plugins, .htaccess, and HTTPS or reverse proxy handling in that order. That path solves the problem much faster than reinstalling WordPress or changing random settings blindly.