WordPress GuideErrors → Login Redirect Loop

How to fix the WordPress login redirect loop

wordpress login redirect loop

A WordPress login redirect loop is when you enter your username and password on the WordPress login screen, click Log In, and get sent right back to the same login screen instead of into your WordPress dashboard.

You’re stuck in a cycle: you enter your login details, get redirected to login, enter credentials again, same result. No error message pops up, it’s just an endless loop.

This is one of the more common WordPress login issues, and the good news is that most of the time it’s fixable once you know where to look.

This guide covers:

  • What causes a WordPress login redirect loop.
  • How to fix the issue in a logical order from easiest to most technical.
  • How to use wp-config.php to force a fix when other methods don’t work.
  • How to prevent the loop from happening again on your site.
  • Answers to the most common questions about login redirect loops.

A quick note before we get started: the WordPress login redirect loop is different from the more general ‘too many redirects‘ error, even though the underlying cause can be similar. The login redirect loop affects just wp-login.php/wp-admin.php and the admin area. The ‘too many redirects’ error usually affects the whole site. Some of the fixes overlap, but the troubleshooting order is different.

Get fast, reliable hosting for WordPress

Power your site with the industry’s fastest, most optimized WordPress hosting

What causes a WordPress login redirect loop?

A WordPress login redirect loop almost always comes down to one of these causes, roughly ordered by how common they are.

Mismatched WordPress URL settings

The most common cause is a mismatch between your WordPress Address (URL) and Site Address (URL) settings, or between those settings and the URL your browser is actually requesting.

WordPress sets the login cookie for one domain (let’s say www.yoursite.com), then redirects you to a different domain (yoursite.com). The cookie doesn’t follow, so WordPress thinks you’re not logged in and sends you back to the login screen.

This often happens after switching between www and non-www, moving from HTTP to HTTPS, or migrating to a new domain.

Mismatched WordPress URL settings

Plugin conflicts

Plugin conflicts represent 65% of technical malfunctions reported in WordPress sites, according to industry research. Security plugins are particularly likely to interfere with login redirects since they often modify the authentication flow. Caching plugins can also cause this if they’re caching login pages they shouldn’t. A recently installed or recently updated plugin could be the reason for this happening.

Corrupted browser cookies

Sometimes the loop happens because your browser is sending bad cookie data or has cache issues. Outdated or corrupted cookies tell WordPress something inconsistent, and the login flow breaks.

Corrupt or misconfigured .htaccess file

The .htaccess file in your WordPress root directory controls server-level rewrites and redirects. A corrupted .htaccess file (often from a botched plugin install, a security tool that modified it incorrectly, or manual edits gone wrong) can send your login redirects in circles.

Theme conflicts

Less common than plugin conflicts, but a recently changed theme or a custom theme with errors in its functions.php can break the login flow.

File permission errors

Incorrect file permissions on wp-config.php or other core files can prevent WordPress from reading the values it needs to handle logins properly. The standard is 755 for directories and 644 for files, with wp-config.php ideally set to 440 or 600 for tighter security.

Server-side caching or CDN issues

If you’re using a CDN like Cloudflare or server-side caching, the login flow can be cached when it shouldn’t be. The CDN serves an older version of the response, and the login never completes.

How to fix the WordPress login redirect loop (step by step)

Work through these fixes in order. The earlier steps are the easiest and most likely to solve the problem, so don’t skip ahead to wp-config.php edits unless you’ve already tried the basics.

Step 1: Clear browser cookies and cache for your site

Start here. About a third of login redirect loops are fixed by this step.

  1. Open your browser’s settings.
  2. Find the option to clear cookies and cached data.
  3. Filter to only your site’s domain (otherwise you’ll log out of everything else).
  4. Clear the cookies and cached files.
  5. Restart your browser and try logging in again.
delete browsing data

If that doesn’t work, try logging in from a different browser (Chrome if you usually use Firefox, or vice versa) or from an incognito window. If the login works elsewhere, the issue is browser-specific, and a full cache clear will fix it.

Step 2: Disable browser extensions

Some browser extensions, especially privacy-focused ones, block cookies in ways that break the WordPress login flow. Disable extensions one by one (or just use an incognito window with no extensions) to test.

Step 3: Check your WordPress URL settings

If you have access to your dashboard (sometimes the login loop only affects certain users or paths), check Settings > General and make sure the WordPress Address (URL) and Site Address (URL) both:

  • Use the same protocol consistently (both HTTPS, ideally).
  • Use the same www or non-www format.
  • Match the URL you’re actually visiting in your browser.
Mismatched WordPress URL settings

If you can’t access your dashboard, jump to Step 7 to fix these values via wp-config.php instead.

Step 4: Disable plugins via FTP

If you can’t log in to disable plugins through the WordPress admin dashboard, you can disable all plugins at once via FTP or your hosting control panel’s file manager:

  1. Connect to your site via FTP, SFTP, or your hosting provider’s file manager.
  2. Navigate to /wp-content/.
  3. Rename the plugins folder to something like plugins-disabled.
  4. Try logging in again.

If the login works, one of your plugins was the cause. Rename the folder back to plugins. WordPress will recognize that all the plugins are now deactivated. Log in to your dashboard and reactivate plugins one at a time, testing the login between each one, until you find the plugin causing the issue.

The most common culprits in our experience are security plugins, caching plugins, and any plugin that modifies the login URL or adds two-factor authentication.

Step 5: Switch to a default WordPress theme

If disabling plugins didn’t fix it, the issue might be your theme.

  1. Connect to your site via FTP or file manager.
  2. Navigate to /wp-content/themes/.
  3. Rename your active theme’s folder to something like your-theme-disabled.
  4. WordPress will automatically fall back to the latest default theme (Twenty Twenty-Five at the time of writing).
  5. Try logging in again.

If the login works with the default theme, your custom theme is the cause and needs troubleshooting. You can usually rename the folder back, and the theme will reactivate, but check it for recent changes (especially to functions.php) before doing anything else.

Step 6: Reset the .htaccess file

A corrupted .htaccess file can cause redirect loops at the server level. The fix is to let WordPress regenerate a clean one:

  1. Connect to your site via FTP or file manager.
  2. Navigate to the WordPress root directory (the folder containing wp-config.php).
  3. Rename .htaccess to .htaccess.old.
  4. Log in to your WordPress dashboard.
  5. Go to Settings > Permalinks.
  6. Click Save Changes without changing anything. This regenerates a fresh .htaccess file with the default WordPress rules.

If you can’t log in to do step 4-6, you can create a clean .htaccess manually. Create a file called .htaccess in your WordPress root with this content:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

This is the standard WordPress .htaccess content and will work for most sites using pretty permalinks.

Step 7: Update WordPress URL settings via wp-config.php

If you can’t access your dashboard and Steps 1-6 haven’t worked, you can force the WordPress URL settings through wp-config.php. This overrides whatever is in the database.

  1. Connect to your site via FTP or file manager.
  2. Open wp-config.php in the WordPress root directory.
  3. Find the line that says /* That’s all, stop editing! Happy publishing. */ (or similar).
  4. Just above that line, add these two lines, replacing the domain with your actual site URL:
define( 'WP_HOME', 'https://yourdomain.com' );
define( 'WP_SITEURL', 'https://yourdomain.com' );
  1. Save the file and try logging in.

If this fixes the issue, once you can access your dashboard, go to Settings > General and update the URLs there to match. You can then remove the lines from wp-config.php so the database values are used again.

Step 8: Force cookie domain consistency

If you’ve tried everything above and the loop persists, add one more line to wp-config.php that forces WordPress to use a specific cookie domain:

define( 'COOKIE_DOMAIN', 'yourdomain.com' );

Place this above the same /* That's all, stop editing! */ line. This is particularly useful when the loop is caused by a www/non-www mismatch that other fixes haven’t resolved.

Step 9: Check file permissions

Permissions that are too restrictive can prevent WordPress from reading the files it needs to authenticate properly. The standard:

  • Directories: 755
  • Files: 644
  • wp-config.php: 440 or 600 (for tighter security)

If you’re not sure what your current permissions are, your FTP client or file manager will show them. Most hosting control panels include a file permissions tool. Check the WordPress root directory and wp-content folder permissions in particular.

Step 10: Disable caching and CDN

If you use a caching plugin or a CDN like Cloudflare, temporarily disable them to test:

  1. Caching plugins: Disable the plugin via FTP using the rename method from Step 4.
  2. Cloudflare: Set it to development mode (under your domain’s settings > Caching > Configuration). This bypasses caching for three hours, long enough to test the login.
  3. Server-side caching: Contact your hosting provider’s support team to disable any server-level caching temporarily.

Try logging in. If the login works without caching, the cache is what was causing the loop. You’ll need to clear the cache and adjust the cache rules so login pages aren’t cached.

Step 11: Contact your hosting support

If you’ve worked through all the steps above and you still can’t log in, contact your hosting provider’s support team. Server-level issues (mod_security rules, firewall configurations, DNS routing) can cause login loops that aren’t fixable from the WordPress side. Liquid Web’s managed WordPress hosting includes 24/7 support that can diagnose these issues directly on the server.

How to prevent the WordPress login redirect loop

Prevention is mostly about not letting your WordPress configuration drift out of sync over time.

Keep WordPress, plugins, and themes updated

Outdated software is the leading cause of most WordPress problems, including login issues. Auto-updates for minor releases of WordPress core, plugins, and themes catch most security and compatibility issues before they cause problems.

Test plugin and theme changes on staging first

Changing your active theme or installing a major new plugin on a live site is the fastest way to introduce a login loop. Most managed WordPress hosting providers include staging environments where you can test changes before pushing them live.

Keep your WordPress and Site Address settings in sync

When you move from HTTP to HTTPS, switch between www and non-www, or migrate to a new domain, update the URL settings in Settings > General as part of the migration process. Don’t rely on .htaccess redirects alone.

Use a security plugin that doesn’t break authentication

Some security plugins are aggressive about modifying the WordPress login flow, which can introduce login redirect loops on certain configurations. Kadence Security is built with WordPress’s standard authentication flow in mind and includes features (real-time firewall, brute force protection, two-factor authentication) that protect login pages without breaking them. The combination of these features handles most of the security needs that other plugins try to address through more aggressive (and conflict-prone) means.

Keep regular backups

Automated daily backups give you a fast path back if something goes wrong with your login. If you’ve made changes that caused a login redirect loop and you can’t fix it, restoring from a backup taken before the change is usually faster than working through every fix in this guide.

Pick the right hosting

Shared hosting environments are more likely to introduce login redirect loop issues because of how they handle server-level configurations. Managed WordPress hosting avoids most of these issues by providing optimized server configurations specifically for WordPress workloads.

Additional resources

Diagnosing WordPress errors on your site →

Even more common errors, how to troubleshoot them, and how to solve them

Resolving 500 internal server errors on WordPress →

Learn the steps you can take to fix an Internal Server Error on WordPress in this blog.

What is managed WordPress hosting? →

What it means, what it includes, and how to decide if it’s right for you

Trust us to help you choose the ideal hosting solution

Loading form…