WordPress Login Redirect Loop: Every Cause Fixed

A WordPress login redirect loop means you enter your credentials, hit Log In, and the page just reloads the login form — over and over, never letting you in. The root cause is almost always a mismatch between the URL WordPress thinks it lives at and the URL your browser actually used, a corrupted cookie, or a plugin intercepting the authentication flow. In most cases you can fix it in under ten minutes without touching a database.

What You're Actually Seeing

The experience varies slightly depending on the cause, so it's worth identifying your exact symptom before diving in:

• Silent loop: You submit the login form and land straight back on /wp-login.php with no error message at all.
• Loop with "cookies are blocked" notice: WordPress explicitly tells you cookies are disabled or blocked.
• Brief redirect through the dashboard then back to login: You catch a flash of /wp-admin/ before being thrown back — a sign that authentication succeeds but something immediately logs you out again.
• Redirect to the front end instead of the dashboard: Clicking login sends you to your homepage, never to /wp-admin/.

Each pattern points to a slightly different culprit. The fixes below are ordered from safest and fastest to more involved. Back up your site before making any file or database changes — if your host provides one-click snapshots, take one now.

Fix 1: Clear Your Browser Cookies for the Site

WordPress relies on a short-lived authentication cookie. If an old or malformed cookie is sitting in your browser, every login attempt will fail silently because WordPress sees a conflicting cookie and refuses to set a new one.

1. Open your browser settings and clear cookies and site data specifically for your domain — you don't need to wipe everything.
2. Alternatively, open a private/incognito window and try logging in fresh. If that works, a stale cookie was the entire problem.
3. Try a different browser entirely to rule out browser-level caching issues.

This solves the problem surprisingly often. If it doesn't, keep going.

Fix 2: Check Your WordPress and Site URL Settings

WordPress stores two critical URLs in the database: WordPress Address (URL) and Site Address (URL), found at Settings → General. If these don't exactly match the URL your browser uses — including whether www is present and whether the scheme is http or https — the authentication cookies get set for the wrong domain and are immediately rejected.

Common mismatches that cause login loops:

• Database says http://example.com but your server forces an HTTPS redirect, so the browser lands on https://example.com.
• Database says https://www.example.com but you typed https://example.com in the address bar (or vice versa).
• A recent migration or domain change was applied in the server config but not yet in WordPress.

If you can reach Settings → General, fix the URLs there. If you're locked out completely, you can override them safely by adding two lines to wp-config.php — open it via your host's file manager or FTP:

define( 'WP_HOME', 'https://example.com' );
define( 'WP_SITEURL', 'https://example.com' );

Replace https://example.com with your actual, correct URL. These constants override whatever is in the database without touching it, so you can remove them later once you've fixed the underlying setting. Save the file and try logging in again.

Fix 3: Force an SSL Cookie (HTTPS Sites)

If your site runs over HTTPS but WordPress doesn't know that definitively, it may set authentication cookies without the Secure flag, and some browser configurations will reject those. Add this to wp-config.php above the /* That's all, stop editing! */ line:

define( 'FORCE_SSL_ADMIN', true );

Also confirm your server is sending a correct HTTPS environment variable. If you're behind a load balancer or a reverse proxy (common on managed hosts and with Cloudflare in proxy mode), WordPress may not detect HTTPS correctly. Your host's support team can confirm what header to trust.

Fix 4: Deactivate All Plugins via FTP or File Manager

Security plugins, login-protection plugins, caching plugins, and membership plugins all hook into the authentication flow. Any one of them can intercept a successful login and immediately redirect you back to the login page — especially after an update that introduced a bug.

Because you can't reach the dashboard, you need to deactivate plugins at the file level:

1. Connect via FTP or your host's file manager.
2. Navigate to wp-content/plugins/.
3. Rename the entire plugins folder to something like plugins_disabled. WordPress will deactivate everything automatically.
4. Try logging in. If you get in, rename the folder back to plugins, then reactivate plugins one at a time — starting with security and caching plugins — until the loop returns. The last plugin you activated is the culprit.

This is the single most reliable way to isolate a plugin-caused loop, and it's completely reversible.

Fix 5: Check and Repair .htaccess

A corrupted or over-aggressive .htaccess file — often left behind by a security plugin, a caching plugin, or a manual edit — can redirect login requests incorrectly. This is particularly common when a plugin has added redirect rules that conflict with WordPress's own rewrite rules.

1. Via FTP or file manager, locate .htaccess in the root of your WordPress install.
2. Download a copy as a backup, then replace the entire file with the default WordPress version:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

If your WordPress install is in a subdirectory, adjust RewriteBase accordingly. Try logging in again. If it works, the original .htaccess had bad rules — check the backup copy carefully before re-adding anything from it.

Fix 6: Regenerate WordPress Security Keys and Salts

WordPress uses a set of secret keys and salts to sign and validate authentication cookies. If these have become corrupted, or if you suspect the site was compromised, existing cookies — including any partially-formed session cookies — will fail validation and loop indefinitely.

1. Visit the WordPress secret key generator and copy the fresh set of keys it produces.
2. Open wp-config.php and replace the existing block of define( 'AUTH_KEY', ... ) lines with the new ones.
3. Save the file. This will immediately invalidate all existing sessions — everyone currently logged in will need to log in again — but that's expected and safe.

Now clear your cookies and attempt login. This is also a good step to take any time you suspect unauthorized access. For more on locking down your site after a security event, see WordPress Site Hacked? Here's How to Clean It Up — Safely.

Fix 7: Rule Out Caching at the Server Level

Server-side page caches (LiteSpeed Cache, WP Rocket's server integration, host-level caching like SiteGround's SuperCacher or WP Engine's built-in cache) can cache the login page itself or the redirect response, which means every request gets the same cached redirect back regardless of whether authentication succeeded.

• Log into your host's control panel and purge all caches.
• If your host has a CDN enabled (Cloudflare, Cloudfront, BunnyCDN), purge the CDN cache too.
• Temporarily bypass the cache by adding a query string to the login URL: https://example.com/wp-login.php?nocache=1 — this won't fix the root issue but tells you whether caching is involved.

For persistent caching loops, you may need to add /wp-login.php and /wp-admin/ to your cache exclusion rules — most caching plugins and hosts do this by default, but rules can get corrupted or overwritten.

How to Prevent Login Redirect Loops

Most loops are triggered by updates or configuration changes. A few habits prevent the majority of them:

• Update staging first. Test major plugin and theme updates on a staging environment before pushing to production. Many hosts provide one-click staging.
• Keep URLs consistent. Use a single canonical URL everywhere — in WordPress settings, your SSL certificate, your server redirects, and your CDN. Mixing www and non-www or http and https is the most common trigger.
• Don't stack security plugins. Running two login-protection or firewall plugins simultaneously almost guarantees conflicts in the auth flow.
• Schedule regular backups. When something breaks, a recent backup makes recovery trivial. A Care Plan handles managed backups, updates, and uptime monitoring automatically so these emergencies stay rare.

If you want a structured approach to keeping your site stable long-term, The WordPress Maintenance Routine That Actually Prevents Emergencies is worth reading next.

When to Call a Professional

If you've worked through every fix above and you're still looping — or if you're not comfortable editing wp-config.php and .htaccess — the problem is likely something more specific to your server configuration, a database-level corruption, or a plugin that's left behind residual data even after deactivation.

That's exactly the kind of problem Mend's Quick Fix service is built for. A senior engineer will diagnose the exact cause, fix it with a backup-first workflow, and send you a plain-English report of what changed and why — most fixes are completed the same day. If you're not sure what you're dealing with yet, start with a free Diagnosis — no credit card required, and you'll get a flat price before any work begins.