Severity: Minor · Fix time: Under 5 min · Skill level: Beginner

Cookies Are Blocked or Not Supported is a WordPress error that appears on the login page when WordPress cannot set the authentication cookie required to establish a logged-in session. After entering your username and password, instead of reaching wp-admin, you’re redirected back to the login screen with this message. WordPress has verified your credentials — the password is correct — but the browser isn’t accepting or transmitting the session cookie that proves you’re logged in.

Unlike most WordPress errors, this one is almost never caused by a server configuration problem. The cause is nearly always on the browser side: cookies disabled, browser privacy settings, an overly strict extension, or a mismatch between WordPress’s configured URL and the URL you’re actually using.

Need a quick map of every WordPress error? See our 70+ WordPress Errors Guide → for a categorized reference of every common WordPress issue.

[Image: WordPress login page showing the message “Cookies are blocked or not supported by your browser. You must enable cookies to use WordPress.”]

How the Cookie Login Error Works

WordPress’s authentication system relies on browser cookies to maintain a logged-in session. When you enter correct credentials, WordPress calls wp_set_auth_cookie() to write a cookie to your browser — containing a cryptographic token tied to your user account. On the next page load, WordPress reads this cookie to recognize you as logged in.

The error appears when WordPress detects that the cookie it set isn’t being sent back in subsequent requests. WordPress detects this by setting a test cookie before the login form is submitted, then checking for it after the POST. If the test cookie isn’t present, WordPress assumes cookie support is unavailable.

Common causes:

  • Browser cookies disabled — Rare on modern browsers with default settings.
  • Privacy extensions blocking cookies — uBlock Origin, Privacy Badger, or strict ad blockers may intercept the auth cookie.
  • URL mismatch — If WordPress Address in Settings → General is https://www.example.com but you’re visiting http://example.com, the cookie is set for the configured domain, not the one you’re on.
  • Secure cookie on a non-HTTPS connection — WordPress sets the Secure flag when using HTTPS. Visiting the site over HTTP means the browser won’t send the secure cookie back.
  • Corrupt cookies from a previous session — Old or conflicting cookies can interfere with fresh cookie setting.

This error is related to but distinct from the REST API Cookie Check Failed error: that error assumes you’re already logged in but the nonce attached to API requests is invalid. This error prevents login from completing at all.

Check This First — 2-Minute Diagnostic

  1. Clear cookies for your site — In your browser, clear cookies specifically for your WordPress domain. Then retry the login. This resolves corrupt cookie conflicts in most cases.
  2. Try a different browser or incognito mode — If the error only appears in one browser, the issue is browser-specific (extensions, settings, or cached cookies). If it appears everywhere, the cause is the WordPress URL configuration.
  3. Check your WordPress URL — Compare the URL in your browser’s address bar to what’s shown in Settings → General. They must match exactly: http vs. https and www vs. non-www.
  4. Disable extensions temporarily — Disable privacy-focused extensions and try logging in. If that works, one of your extensions was blocking the cookie.
  5. Try logging in from a mobile browser — Mobile browsers have fewer extensions. If login works on mobile but not desktop, it’s extension or browser-configuration related.

Purpose & Benefits

1. Understanding WordPress Cookie Requirements Prevents Login Lockouts

The cookie login error is non-obvious because the password is correct — the error appears after authentication succeeds. Understanding that WordPress uses cookies for session persistence (not just for login verification) explains why correct credentials still result in a redirect loop.

2. URL Consistency Is Foundational to WordPress Security

WordPress’s cookie domain settings derive from siteurl and home in the database. A URL mismatch is also the root cause of WordPress login redirect loops and certain REST API cookie check failures. Getting the URL configuration right once prevents multiple authentication-related errors.

3. This Error Can Signal a Misconfigured SSL Migration

When sites migrate from HTTP to HTTPS, WordPress’s URL settings must be updated to reflect the new protocol. If the database still shows http:// URLs while the server redirects to https://, the cookie domain mismatch triggers this error — a common post-migration issue that also causes mixed content warnings.

Examples

1. Clearing Cookies to Resolve Corrupt Session Data

The fastest fix in most cases. In Chrome: Settings → Privacy and Security → Delete browsing data → Cookies → Specific sites and add your domain. In Firefox: History → Clear Recent History → Cookies. After clearing cookies for your domain, revisit the login page and log in fresh. This resolves the error in the majority of cases.

2. Correcting a URL Mismatch in wp-config.php

A site recently migrated from http:// to https:// still has a stale entry in the database pointing to the old URL. Adding constants to wp-config.php forces WordPress to use the correct URL without requiring database access:

// Force WordPress to use the correct URL
// Overrides database settings and fixes cookie domain matching
// Replace with your actual site URL including https:// and www
define('WP_SITEURL', 'https://www.example.com');
define('WP_HOME',    'https://www.example.com');

After adding these, clear your browser cookies and retry the login. If it works, update the correct values in Settings → General (or via phpMyAdmin in the wp_options table), then remove these constants from wp-config.php.

3. Fixing Cookie Blocking From a Browser Extension

A site owner’s browser has uBlock Origin with strict settings that treats the WordPress admin domain as a tracker. The fix: open the extension’s settings, add yourdomain.com to the trusted sites or allowlist, clear existing cookies for the domain, then log in. If you manage WordPress for multiple people, this is a common support call that requires no server changes.

Common Mistakes to Avoid

  • Repeatedly attempting login without clearing cookies — If the test cookie from a failed login attempt isn’t cleared, subsequent attempts may also fail. Clear cookies between attempts.
  • Editing wp-config.php URL constants and not removing them later — The WP_SITEURL and WP_HOME constants override database settings permanently while present. Update the database settings and then remove the constants. Leaving them creates confusion when someone tries to change the URL through the dashboard.
  • Not checking for URL inconsistency after SSL migration — This error is very common in the days after moving a site to HTTPS. Always verify Settings → General shows https:// in both URL fields.
  • Assuming the cookie error means the password is wrong — The error appears after a successful authentication check. Your password is correct; the cookie is the problem. Resetting your password won’t help.
  • Ignoring this error on staging environments — Staging environments that share a domain with the live site can have cookie scope conflicts. Ensure staging and production use distinct cookie paths or domains.

Best Practices

1. Keep WordPress URL Settings Consistent

Your WordPress Address and Site Address in Settings → General should exactly match the URL your admins use — protocol (http vs. https) and subdomain (www vs. non-www). These settings determine cookie domains. Any inconsistency creates the conditions for this error.

2. Force HTTPS With a Server-Level Redirect

When moving to HTTPS, configure a 301 redirect from HTTP to HTTPS at .htaccess in addition to updating WordPress’s URL settings:

# .htaccess: Force HTTPS for all traffic
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This prevents WordPress from setting a secure cookie while the browser arrives via HTTP.

3. Test Login in a Clean Browser Profile After Site Changes

After any change that affects WordPress URLs, test the login flow in an incognito window with no extensions active. If login works in incognito but not in your main browser, the issue is browser-profile-specific — not the server.

4. Use WP_DEBUG to Surface Cookie-Related PHP Warnings

If standard fixes don’t resolve the error, enable debug mode temporarily:

define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);
define('WP_DEBUG_DISPLAY', false);

Check /wp-content/debug.log for warnings before wp_set_auth_cookie(). A “headers already sent” warning — similar to the pluggable.php error — prevents cookies from being set.

Frequently Asked Questions

What causes “cookies are blocked or not supported” most often?

The two most common causes are corrupted or conflicting cookies from a previous login attempt (clear cookies to fix immediately) and a URL mismatch between WordPress’s configured address and the URL in the address bar. Literally disabled cookies are rare on modern browsers with default settings.

How do I fix this when completely locked out of wp-admin?

Connect via SFTP to add WP_SITEURL and WP_HOME constants with the correct URL to wp-config.php. Clear browser cookies and retry. Update the database URL via phpMyAdmin, then remove the constants.

Can this error hurt my SEO?

The cookie error only affects the wp-admin login process and doesn’t affect your site’s front-end pages. However, if a URL mismatch is the underlying cause, the same mismatch may create mixed content issues or incorrect canonical URLs that do affect SEO.

Does this error occur in WooCommerce stores?

Yes. WooCommerce checkout and account pages depend on cookies for cart management and customer sessions. A browser blocking cookies at the domain level causes empty carts, login failures, and checkout errors. The fix is the same: whitelist the domain in privacy extension settings.

Is this error related to the WordPress login redirect loop?

They share a common root cause — URL misconfiguration — but produce different symptoms. The WordPress login redirect loop bounces you between the login page and wp-admin repeatedly without error messages. This error shows a specific message on the login page. Both fix the same way: correct URL settings and clear cookies.

Related Glossary Terms

How CyberOptik Can Help

Still broken? Our team fixes WordPress errors like this in under 30 minutes for maintenance clients. The cookie login error is usually a quick fix — but when the root cause is a URL configuration problem from a migration or SSL setup, it can be intertwined with other issues on the same site. Our WordPress maintenance plans include migration verification and post-SSL checks that catch these configuration mismatches before they lock anyone out. Contact us to restore your login access.