WordPress login redirect loop

Severity: Critical · Fix time: 5–15 min · Skill level: Intermediate

WordPress login redirect loop is a condition where entering correct credentials on wp-login.php immediately redirects back to the login page without logging in — as if the credentials were never submitted. No error message appears. The login just silently fails and returns to the same screen, trapping you outside wp-admin indefinitely.

This is one of the more disorienting WordPress errors because nothing appears to be “wrong” — the login page looks normal, your credentials are correct, but the site won’t accept them. The cause is almost always browser cookies, an incorrect WordPress site URL, a corrupted .htaccess file, or a PHP-level issue preventing WordPress from setting the authentication cookie properly.

Need a quick map of every WordPress error? See our 70+ WordPress Errors Guide → for a categorized reference of every common WordPress issue.

How the WordPress Login Redirect Loop Works

WordPress login works through cookies. When you enter correct credentials, WordPress validates them, creates a session cookie, and redirects your browser to wp-admin. The cookie tells WordPress “this is a logged-in user.” If WordPress can’t set the cookie — or if the browser doesn’t accept it — the redirect to wp-admin fails, and WordPress sends you back to the login page.

Common causes include:

• Browser cookie problem — Stale, corrupted, or blocked cookies for your domain prevent WordPress from setting the new authentication cookie. This is the most common cause and the easiest to fix.
• Incorrect WordPress or Site URL — If WP_HOME or WP_SITEURL points to a different URL than the one you’re accessing the login page from (e.g., http:// vs https://, or www vs no-www), the cookie domain mismatch prevents authentication.
• Corrupted .htaccess file — An .htaccess file with invalid redirect rules can intercept the post-login redirect and send it somewhere unexpected, creating a loop.
• Incorrect file permissions — If WordPress can’t write session data due to permission restrictions, authentication fails silently.
• Plugin conflicts — Security plugins, membership plugins, or redirect plugins can intercept the login redirect and create a loop. This is especially common after a plugin update.
• HTTPS/HTTP mismatch — If WordPress is set to use HTTPS in its URL settings but the login page is being accessed over HTTP (or vice versa), the cookie won’t be sent back because it has a different domain/protocol than expected.

Check This First — 2-Minute Diagnostic

1. Try an incognito/private window — Open a fresh incognito window and try logging in. If it works, the problem is browser cookies — clear them and log in normally.
2. Try a different browser — If incognito works, the issue is specific to your regular browser session. Clear cookies in your regular browser for the site’s domain.
3. Check if anyone else can log in — Ask a colleague to try. If they can log in, the problem is isolated to your browser/device.
4. Check the URL in your address bar — Does the login page URL match what’s set in Settings → General? An http:// vs https:// mismatch or a www discrepancy can cause authentication failure.
5. Check for recent changes — Was a plugin updated, a domain migrated, or an SSL certificate installed recently? These are common triggers.

Purpose & Benefits

1. Understanding Cookie-Based Authentication

WordPress’s login system relies on cookies, and many redirect loop causes come down to cookie domain mismatches. Understanding this mechanism helps you debug faster: if the cookie isn’t being set correctly, something is wrong with the domain, protocol, or cookie settings — not with the login credentials themselves.

2. Maintaining Admin Access During Crisis

Being locked out of wp-admin is an operational crisis. A documented fix path compresses recovery from hours to minutes. The most important asset is SFTP access — with file access, you can resolve virtually any login issue without needing an active admin session.

3. Proactive URL Configuration Prevents Recurrence

Many login loops stem from URL mismatches that existed before the error — a half-migrated HTTPS setup or inconsistent www settings. Fixing the root cause prevents recurrence after the next update or server change. Our WordPress maintenance services include configuration audits that catch these mismatches before they become problems.

Examples

1. Clearing Browser Cookies Restores Login

The most frequent scenario: a site owner reports that login suddenly stopped working after weeks of normal operation. No changes were made recently. Opening an incognito window and logging in succeeds immediately. The problem was stale authentication cookies in the regular browser session that conflicted with the new login attempt. Fix: clear cookies specifically for the site’s domain in browser settings. The regular browser session logs in without issue afterward.

2. Incorrect Site URL After SSL Installation

A site migrated from http:// to https:// has the WordPress Address updated to https://yoursite.com in Settings → General, but the login page is being accessed via http://yoursite.com/wp-login.php. The cookie is set for yoursite.com over HTTPS, but the browser is on HTTP — it doesn’t send the cookie back, causing the redirect loop. Fix: access wp-config.php via SFTP and add the correct URL definitions:

// Force correct URLs to resolve cookie domain mismatch
define('WP_HOME', 'https://yoursite.com');
define('WP_SITEURL', 'https://yoursite.com');

After adding these lines, access the login page via https://yoursite.com/wp-login.php.

3. Corrupted .htaccess Intercepting Login Redirect

A security plugin’s update added conflicting redirect rules to .htaccess that intercept the login redirect. Renaming .htaccess to .htaccess_old via SFTP allows the login to complete normally. After login, go to Settings → Permalinks → Save Changes to regenerate a clean .htaccess. Review the old .htaccess file to identify which rules were causing the conflict before discarding it.

Common Mistakes to Avoid

• Assuming the password is wrong — A login redirect loop looks identical to a wrong-password failure on the surface, but it’s mechanically different. No “incorrect password” message appears. If your credentials are correct and you’re being redirected back silently, it’s a redirect loop — not a forgotten password.
• Resetting the password without diagnosing the loop — Resetting your password doesn’t fix a redirect loop caused by cookies, URL settings, or .htaccess. It’s a wasted step that delays the actual fix.
• Trying to log in repeatedly — Multiple failed login attempts from the same IP can trigger rate limiting on security plugins, temporarily blocking you entirely. Try incognito first before attempting multiple logins.
• Forgetting to clear cache after fixing URLs — If you corrected URL settings in wp-config.php or the database, cached redirects from a caching plugin or CDN may still be routing you to the wrong URL. Purge all caches after fixing the configuration.

Best Practices

1. Clear Browser Cookies and Try Incognito First

Before accessing file systems or databases, take 30 seconds to try the login in a fresh incognito window. This isolates whether the problem is browser-side (cookies, cached redirects) or server-side (URL settings, .htaccess). If incognito login works, clear cookies for your site’s domain in your regular browser and you’re done. This resolves a significant portion of login redirect loop reports.

2. Fix WordPress URL Settings via wp-config.php

If the incognito test doesn’t help, connect via SFTP and check your wp-config.php for any existing WP_HOME or WP_SITEURL definitions. If they’re missing, add them with the correct HTTPS URL of your site. If they exist with the wrong URL, correct them. The definitive values are what your site should be accessed at — matching protocol (HTTP or HTTPS), matching www preference, and matching domain:

// Add to wp-config.php if login redirect loop persists
define('WP_HOME', 'https://yourdomain.com');
define('WP_SITEURL', 'https://yourdomain.com');

3. Rename .htaccess and Deactivate Plugins

If URL settings are correct and the loop persists, rename .htaccess to .htaccess_old via SFTP and try logging in. If it succeeds, regenerate .htaccess via Settings → Permalinks → Save Changes and carefully compare the old file for conflicting rules. If the loop persists without .htaccess, rename /wp-content/plugins/ to /wp-content/plugins-disabled/ via SFTP. If login succeeds, reactivate plugins one by one to identify the culprit.

Frequently Asked Questions

What causes the WordPress login redirect loop most often?

Browser cookies are the single most common cause — specifically, stale or corrupted authentication cookies that conflict with a new login attempt. The fix is to clear cookies for the site domain or try an incognito window. After cookies, the next most common cause is a URL mismatch between WordPress’s URL settings and the actual URL being used to access the login page.

How do I fix the WordPress login redirect loop when locked out of wp-admin?

You need file access. Connect via SFTP or your hosting File Manager. First, add define('WP_HOME', 'https://yourdomain.com'); and define('WP_SITEURL', 'https://yourdomain.com'); to wp-config.php (with your actual domain). Then rename .htaccess to .htaccess_old. Try logging in at https://yourdomain.com/wp-login.php. If still locked out, rename /wp-content/plugins/ to disable all plugins and try again.

Can the login redirect loop hurt my SEO?

Not directly — front-end visitors aren’t affected by a wp-admin login issue. However, if the underlying cause (URL mismatch, .htaccess corruption) also creates front-end redirect problems, that would impact both visitors and crawlers. Investigate whether front-end pages are also affected.

Why does the login loop happen after an SSL/HTTPS migration?

SSL migration changes your URL from http:// to https://. If WordPress’s stored URL settings still reference HTTP after the migration, authentication cookies are set for the HTTP domain. When WordPress redirects to HTTPS, the browser won’t send back an HTTP cookie — causing the loop. Fix: ensure both WP_HOME and WP_SITEURL use https://.

What if the login loop only affects one admin account?

If the loop affects one user but not others, the issue is specific to that user’s browser cookies or a session token. Clear cookies for that user. If it persists, rotate the security keys in wp-config.php (generate new values at the WordPress secret key generator) to invalidate all active sessions and force a fresh login.

Related Glossary Terms

• ERR_TOO_MANY_REDIRECTS / Redirect Loop
• .htaccess
• wp-config
• HTTPS (Hypertext Transfer Protocol Secure)
• SSL Certificate
• SFTP (Secure File Transfer Protocol)
• White Screen of Death (WSOD)
• 404 Error

How CyberOptik Can Help

Still broken? Our team fixes WordPress errors like this in under 30 minutes for maintenance clients. A wp-admin login redirect loop locks you out of your own website — and every minute locked out is a minute you can’t make updates, moderate comments, or respond to site issues. Our team handles login recovery, URL configuration, and .htaccess audits as part of regular WordPress maintenance and support. Contact us immediately if you’re locked out or explore our WordPress support services.