TL;DR: Fastest Safe Fix

To fix a WordPress login redirect loop, first clear browser cookies and cache, then try logging in from a private browser window. If that fails, clear WordPress/server/CDN cache, verify WP_HOME and WP_SITEURL, check HTTP vs HTTPS and www vs non-www settings, disable plugins by renaming the wp-content/plugins folder, reset .htaccess, and check security or redirect rules. The most common causes are bad cookies, wrong site URLs, SSL mismatch, cache conflicts, and login/security plugins.

What Is a WordPress Login Redirect Loop?

A WordPress login redirect loop is when WordPress accepts your login attempt but does not keep you logged in. Instead of taking you to the dashboard, it redirects you back to the login page again and again.

This can happen even when your username and password are correct. The real issue is often that WordPress cannot set or validate the login cookie properly, or the site is redirecting between different versions of the same domain.

Common signs include:

• You enter correct login details but return to the login page.
• The dashboard loads briefly, then redirects back to wp-login.php.
• The issue happens only after switching from HTTP to HTTPS.
• The issue starts after a migration or domain change.
• The issue happens only in one browser.
• The issue happens only after installing a security, cache, or redirect plugin.
• The issue happens only behind Cloudflare, proxy, or CDN settings.

External reference: WordPress explains that it uses cookies to verify logged-in users here: WordPress Cookies.

What Usually Causes the WordPress Login Redirect Loop?

The login loop is rarely caused by one single thing. It usually happens when WordPress, the browser, the server, or a plugin disagrees about the correct login URL, cookie domain, HTTPS status, or redirect destination.

Most common causes include:

• Browser cookie problem: Old or invalid WordPress login cookies stop authentication from sticking.
• Wrong site URL: WordPress Address and Site Address do not match the real domain.
• HTTP/HTTPS mismatch: WordPress loads over HTTPS, but settings or redirects still point to HTTP.
• www vs non-www mismatch: Login starts on one version of the domain and redirects to another.
• Security plugin conflict: Login protection, two-factor authentication, firewall, or hidden login URL settings may break the login flow.
• Cache conflict: Cached login pages, object cache, server cache, or CDN cache can interfere with sessions.
• Redirect plugin issue: Bad redirect rules may send wp-admin or wp-login.php back to the login screen.
• Corrupted .htaccess rules: Apache or LiteSpeed rewrite rules may redirect incorrectly.
• SSL/proxy issue: Cloudflare, load balancers, or reverse proxies may pass the wrong HTTPS status to WordPress.
• Theme or custom code error: Custom login redirects or role-based dashboard redirects may loop.

Before You Start: Do These Safety Checks

Do not reinstall WordPress or reset the database. A login redirect loop is usually fixable with configuration, cache, cookie, plugin, or redirect changes.

Quick safety checklist:

• Take a backup before editing wp-config.php or .htaccess.
• Write down what changed recently: SSL, migration, plugin, domain, CDN, cache, or security setting.
• Keep a copy of your existing .htaccess file before resetting it.
• Do not delete plugins immediately. Rename folders first.
• Test in a private browser window after each change.
• If the site is WooCommerce or membership-based, avoid database restores unless absolutely necessary.

If you already have server logs or redirect logs, use the FyrePress Server Log Analyzer to identify repeated redirects, SSL mismatch, blocked login requests, or plugin-related errors before making deeper changes.

Fix 1: Clear Browser Cookies and Cache

WordPress login depends on cookies. If your browser has an old, broken, or mismatched authentication cookie, WordPress may keep sending you back to the login page.

Steps:

1. Open your browser settings.
2. Clear cookies and site data for your domain.
3. Clear cached files for your domain.
4. Close the browser completely.
5. Open a private/incognito window.
6. Visit https://yourdomain.com/wp-login.php.
7. Try logging in again.

If login works in private mode, the issue was likely browser cookies, local cache, or a browser extension. You can then clear site data in your normal browser profile and test again.

Also make sure cookies are enabled in the browser. WordPress needs cookies to keep users logged in.

Fix 2: Clear WordPress, Server, and CDN Cache

Login pages should not be cached like normal public pages. If a cache plugin, server cache, CDN, or object cache stores the login response incorrectly, it can cause redirect loops.

Clear these cache layers:

• WordPress cache plugin cache
• LiteSpeed Cache or server-level cache
• Object cache such as Redis or Memcached
• CDN cache such as Cloudflare
• Browser cache

Make sure these paths are excluded from full-page cache:

/wp-admin/*
/wp-login.php
/wp-json/*
/cart/*
/checkout/*
/my-account/*

For most WordPress sites, wp-admin and wp-login.php should never be served from public page cache. WooCommerce account, cart, and checkout pages should also be excluded.

Related FyrePress guide: How to Speed Up WordPress Without Breaking It.

Fix 3: Check WordPress Address and Site Address

Wrong WordPress URLs are one of the most common causes of login redirect loops, especially after migrations, SSL changes, domain changes, or switching between www and non-www.

If you can access the dashboard, go to:

Settings → General

Then check:

• WordPress Address (URL)
• Site Address (URL)

Both should usually match your real live domain version.

Good examples:

https://example.com
https://www.example.com

Bad mismatch example:

WordPress Address: http://example.com
Site Address: https://www.example.com

That kind of mismatch can cause cookies and redirects to fail because the login starts on one URL version and finishes on another.

External reference: WordPress documents site URL constants in wp-config.php here: Editing wp-config.php.

Fix 4: Force the Correct Site URL in wp-config.php

If you cannot access the dashboard, you can temporarily define the correct URLs inside wp-config.php. This is useful after a migration, domain change, or SSL switch.

Add these lines before the final comment that says That's all, stop editing!:

define( 'WP_HOME', 'https://example.com' );
define( 'WP_SITEURL', 'https://example.com' );

Replace https://example.com with your exact live domain. Use either www or non-www, not both. Do not add a trailing slash.

Examples:

define( 'WP_HOME', 'https://fyrepress.com' );
define( 'WP_SITEURL', 'https://fyrepress.com' );

If the login loop stops after adding these constants, the issue was likely an incorrect URL stored in the database. You can later update the values properly in the database or dashboard.

FyrePress tool: Use the FyrePress wp-config.php Builder to generate clean WordPress configuration constants safely.

Fix 5: Check HTTP to HTTPS Redirects

If your site recently moved to HTTPS, a login loop may happen when WordPress, the browser, and the server disagree about whether the request is secure.

Check these items:

• Your SSL certificate is valid.
• WordPress Address and Site Address use https://.
• Your CDN or proxy is not forcing mixed HTTP/HTTPS behavior.
• Your .htaccess or Nginx redirects do not conflict.
• You are not redirecting HTTPS back to HTTP.
• You are not redirecting non-www to www in one place and www to non-www somewhere else.

If you use Cloudflare, avoid a setup where the visitor sees HTTPS but the origin request is treated as HTTP in a way WordPress does not understand. This can cause WordPress to generate insecure redirects or fail cookie validation.

Optional wp-config.php SSL admin rule:

define( 'FORCE_SSL_ADMIN', true );

Use this only when your site has a working SSL certificate and WordPress is intended to run admin pages over HTTPS.

Related FyrePress guide: How to Set Up Cloudflare for WordPress.

Fix 6: Disable Plugins Manually

Login redirect loops often come from security, login customization, two-factor authentication, cache, redirect, membership, or user-role plugins. If you cannot log in, disable all plugins manually.

Steps:

1. Open hosting File Manager or connect using SFTP.
2. Go to your WordPress installation folder.
3. Open wp-content.
4. Rename plugins to plugins-disabled.
5. Try logging in again.

wp-content/plugins
wp-content/plugins-disabled

If login works, one plugin is causing the loop. Rename the folder back to plugins, then disable individual plugin folders one by one until you find the problem.

Plugins most likely to cause login loops:

• Security plugins
• Two-factor authentication plugins
• Custom login URL plugins
• Redirect plugins
• Cache plugins
• Membership plugins
• Role editor plugins
• Social login plugins

Related FyrePress guide: WordPress Plugin Compatibility Checklist.

Fix 7: Switch to a Default WordPress Theme

A theme can cause login redirects if it contains custom code for login pages, user roles, memberships, dashboard redirects, or access control. This is less common than plugin issues, but it still happens.

If you cannot access wp-admin:

1. Open File Manager or SFTP.
2. Go to wp-content/themes.
3. Rename your active theme folder.
4. Try logging in again.

If a default WordPress theme is installed, WordPress may fall back to it. If login works after disabling the active theme, check your theme’s functions.php, custom redirect code, membership logic, or child theme edits.

Related FyrePress guide: Create a WordPress Staging Site Before Updates.

Fix 8: Reset the .htaccess File

On Apache and LiteSpeed servers, bad .htaccess redirects can send users back to the login page repeatedly. This can happen after adding HTTPS redirects, security rules, bot blocking, login protection, or custom rewrite rules.

How to reset .htaccess safely:

1. Open hosting File Manager or SFTP.
2. Go to the WordPress root folder.
3. Download a backup copy of .htaccess.
4. Rename .htaccess to .htaccess-old.
5. Try logging in again.

.htaccess
.htaccess-old

If login works, the issue was likely inside your rewrite or redirect rules. Create a clean default WordPress .htaccess file and re-add custom rules carefully.

Default WordPress .htaccess rules:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

FyrePress tool: Use the FyrePress .htaccess Security Builder to generate safer WordPress-ready rules for Apache and LiteSpeed.

Fix 9: Check Redirect Rules and Custom Login URLs

Redirect rules can easily create a loop when they target wp-admin, wp-login.php, user roles, or old login URLs.

Check these places:

• Redirect plugin rules
• Security plugin login URL settings
• .htaccess redirects
• Nginx server block redirects
• Cloudflare page rules or redirect rules
• Custom code in functions.php
• Membership plugin access rules

Common bad redirect pattern:

/wp-admin/ → /login/
/login/ → /wp-login.php
/wp-login.php → /login/

This kind of setup can trap the user in a loop. Keep login redirects simple, and make sure the final destination does not redirect back to the starting URL.

Related FyrePress guide: Best WordPress Redirection Plugins and When to Use Them.

Fix 10: Check File and Folder Permissions

Incorrect file permissions are not the most common login-loop cause, but they can contribute to session, cache, plugin, or server issues if WordPress cannot read required files properly.

Typical WordPress permissions:

• Folders: 755
• Files: 644
• wp-config.php: often 600 or 640, depending on hosting setup

Avoid setting files or folders to 777. That is insecure and can create bigger problems. If permissions changed after a migration, ask your host to check file ownership as well.

Fix 11: Regenerate WordPress Security Keys and Salts

WordPress security keys and salts help secure authentication cookies. If cookies are behaving strangely after a migration, compromise, or configuration change, regenerating salts can force all sessions to log out and create fresh authentication cookies.

In wp-config.php, you will see constants like these:

define( 'AUTH_KEY',         '...' );
define( 'SECURE_AUTH_KEY',  '...' );
define( 'LOGGED_IN_KEY',    '...' );
define( 'NONCE_KEY',        '...' );
define( 'AUTH_SALT',        '...' );
define( 'SECURE_AUTH_SALT', '...' );
define( 'LOGGED_IN_SALT',   '...' );
define( 'NONCE_SALT',       '...' );

Replace them with fresh values from the official WordPress secret-key generator: WordPress.org Secret Key Service.

Important: changing these values logs out all users. This is normal. After saving the file, clear cache and try logging in again.

Fix 12: Enable Debug Logging

If the login loop still continues, enable private debug logging to catch plugin, theme, redirect, cookie, or PHP warnings behind the issue.

Add these lines to wp-config.php before the final stop-editing comment:

define( 'WP_DEBUG', true );
define( 'WP_DEBUG_LOG', true );
define( 'WP_DEBUG_DISPLAY', false );
@ini_set( 'display_errors', 0 );

Then try logging in once and check:

• wp-content/debug.log
• PHP error logs in your hosting panel
• LiteSpeed, Apache, Nginx, or PHP-FPM logs
• Security plugin logs
• CDN or firewall logs

External reference: WordPress documents debug constants such as WP_DEBUG, WP_DEBUG_LOG, and WP_DEBUG_DISPLAY here: Debugging in WordPress.

Keep WP_DEBUG_DISPLAY set to false on live sites so technical errors are not shown publicly.

Fix 13: Check Reverse Proxy, Cloudflare, or Load Balancer Settings

If your WordPress site runs behind Cloudflare, a reverse proxy, or a load balancer, WordPress may not always detect the correct protocol or host. This can cause HTTPS redirects, cookie validation, and login sessions to behave incorrectly.

Signs this may be the issue:

• The login loop started after enabling Cloudflare or a CDN.
• The site works when bypassing the proxy.
• WordPress Address is HTTPS, but server logs show HTTP requests.
• There are repeated redirects between HTTP and HTTPS.
• Cookies are set for the wrong domain or protocol.

Ask your host or server admin to check whether WordPress receives the correct HTTPS headers, such as X-Forwarded-Proto, and whether the proxy is configured consistently.

Fix 14: Check Multisite Domain and Cookie Settings

WordPress Multisite login loops can be more complex because network sites may use subdomains, subdirectories, mapped domains, or custom cookie domains.

Check these Multisite items:

• The main network domain is correct.
• Mapped domains point to the right site.
• HTTP/HTTPS settings are consistent across the network.
• Cookie domain constants are not outdated.
• Subdomain and subdirectory paths match the network setup.
• Sunrise/domain mapping plugins are working correctly.

If the login loop started after domain mapping or migration, check wp-config.php, the network admin settings, and database values for site/domain paths carefully.

Best Fix Method by User Type

The best fix depends on what access you still have and what changed before the loop started.

For beginners

Start with browser cookies, private mode, cache clearing, and checking your domain URL. If the site recently moved to HTTPS or a new host, ask your host to verify the WordPress Address and Site Address values.

For site owners with hosting access

Define WP_HOME and WP_SITEURL in wp-config.php, disable plugins by renaming the plugins folder, reset .htaccess, and clear all cache layers.

For developers

Inspect redirect chains, cookies, HTTP response headers, proxy headers, SSL configuration, security plugin rules, custom login hooks, role-based redirects, and debug logs.

For WooCommerce and membership sites

Be careful with account pages, login redirects, membership rules, cache exclusions, and role-based redirects. Do not cache account, cart, checkout, or login pages.

For Multisite networks

Check network domain settings, mapped domains, cookie domain constants, HTTPS consistency, and subdomain/subdirectory paths before editing individual sites.

How to Prevent Login Redirect Loops

Most login redirect loops can be prevented with clean URL settings, stable SSL configuration, careful plugin testing, and proper cache exclusions.

Prevention checklist:

• Keep WordPress Address and Site Address consistent.
• Use one canonical domain version: either www or non-www.
• Use HTTPS consistently across WordPress, server, CDN, and redirects.
• Exclude wp-admin and wp-login.php from page cache.
• Test security and login plugins on staging before enabling them on production.
• Avoid multiple plugins controlling login redirects at the same time.
• Keep a backup of working .htaccess and wp-config.php files.
• Check redirect chains after changing domains or SSL settings.
• Use staging before migrations, CDN changes, or login URL changes.
• Document Cloudflare, proxy, and SSL settings after setup.

Related FyrePress guide: Safely Update WordPress Without Issues.

Final Recommendation

The safest way to fix a WordPress login redirect loop is to start with cookies and cache, then move to URL, SSL, plugin, and redirect checks. Most loops happen because WordPress cannot validate the login cookie or because the site redirects between different domain or protocol versions.

If basic browser and cache fixes do not work, define the correct site URLs in wp-config.php, disable plugins manually, reset .htaccess, and inspect redirects. Once login works again, remove unnecessary redirect rules, clean up cache exclusions, and keep one consistent canonical domain.

Frequently Asked Questions

Why does WordPress keep redirecting me to the login page?

WordPress may keep redirecting you to the login page because of broken cookies, incorrect site URLs, HTTP/HTTPS mismatch, cache conflicts, security plugin issues, bad redirects, or corrupted .htaccess rules.

Can cookies cause a WordPress login redirect loop?

Yes. WordPress uses cookies to verify logged-in users. If the browser has old, blocked, or invalid cookies for your domain, WordPress may fail to keep the session active and send you back to the login page.

How do I fix a WordPress login loop after changing to HTTPS?

Make sure WordPress Address and Site Address use https, confirm your SSL certificate works, clear all cache layers, remove conflicting HTTP redirects, and check CDN or proxy settings such as Cloudflare SSL mode.

Can a plugin cause a WordPress login redirect loop?

Yes. Security, cache, redirect, two-factor authentication, membership, role editor, and custom login plugins can cause login loops if they conflict with cookies, redirects, or access rules.

How do I disable plugins if I cannot log in?

Use hosting File Manager or SFTP, open wp-content, and rename the plugins folder to plugins-disabled. This disables all plugins temporarily without deleting them.

Should wp-login.php be cached?

No. The WordPress login page and wp-admin area should not be served from public full-page cache. Cache plugins, server cache, and CDN cache should exclude login and admin URLs.

Can .htaccess cause a WordPress login loop?

Yes. Bad .htaccess redirects or rewrite rules can send wp-admin or wp-login.php back to the login screen repeatedly. Rename .htaccess temporarily and test login again.

How can I prevent WordPress login redirect loops?

Keep site URLs consistent, use HTTPS correctly, exclude login/admin pages from cache, avoid overlapping redirect plugins, test security plugins carefully, and keep backups of wp-config.php and .htaccess.