QUICK ANSWER
The WordPress login redirect loop happens when WordPress cannot set authentication cookies after you log in. The most common causes are a mismatch between your site URL settings and your actual domain, a corrupted cookie, a caching plugin serving the old login page, or an SSL/HTTPS conflict. The fastest fix is to clear your browser cookies and cache, then check your WordPress Address and Site Address in wp-config.php.
Fastest first step: Open an Incognito window and try logging in. If it works, the problem is your browser cookies — clear them and you are done.
You type your username and password, click Log In, and — nothing. The page just reloads back to the login screen. No error message. No access. Just an endless loop.
This is one of the most disorienting WordPress errors because it looks like your password is wrong, but it is not. WordPress is accepting your credentials but then failing to keep you logged in. This guide walks through every cause and every fix, starting with the simplest.
TIP Before anything else: try logging in from an Incognito/Private browser window. If that works, the fix is simply clearing your browser cookies — skip straight to Fix 1.
Table of Contents
- What causes the WordPress login redirect loop?
- Fix 1: Clear browser cookies (most common fix)
- Fix 2: Check WordPress Address and Site Address
- Fix 3: Force correct URL in wp-config.php
- Fix 4: Deactivate plugins via FTP
- Fix 5: Fix an SSL/HTTPS conflict
- Fix 6: Regenerate WordPress salts and security keys
- Special case: redirect loop only for one user
- Frequently asked questions
What Causes the WordPress Login Redirect Loop?
When you log in to WordPress, it sets an authentication cookie in your browser. On the next page load, WordPress reads that cookie to confirm you are logged in. The redirect loop happens when this cookie is not being set or read correctly.
Here is a breakdown of every cause and how common each one is:
| Root Cause | How Common | Fix to Use |
| Browser cookie issue | Very common (45%) | Fix 1 |
| Wrong WordPress/Site URL | Common (25%) | Fix 2 or Fix 3 |
| Plugin conflict | Common (15%) | Fix 4 |
| SSL/HTTPS mismatch | Less common | Fix 5 |
| Corrupted security keys | Rare | Fix 6 |
FIX 1: Clear Browser Cookies and Cache Difficulty: Beginner | Time: 2 minutes
Authentication cookies from a previous session, a conflicting cookie from a domain migration, or a corrupted cookie stored in your browser are the single most common cause of the login redirect loop. Clearing them fixes the problem immediately.
Step 1: Try Incognito mode first
Open a new Incognito window (Chrome: Ctrl+Shift+N / Mac: Cmd+Shift+N) and go to yourdomain.com/wp-admin. If you can log in successfully in Incognito, the problem is 100% your browser cookies. Clear them using the steps below and the loop will be gone.
Step 2: Clear cookies for your domain only
- In Chrome: click the lock icon in the address bar while on your login page
- Click Cookies and site data
- Click Manage on-device site data
- Find your domain and click the trash icon to delete all cookies for it
- Reload the login page and try again
Clear all browser cookies (if the above did not work)
- Press Ctrl+Shift+Del (Windows) or Cmd+Shift+Del (Mac)
- Select Cookies and other site data — make sure this is checked
- Also check Cached images and files
- Set the time range to All time
- Click Clear data
- Close and reopen the browser, then try logging in
NOTE Also try a completely different browser (Firefox if you normally use Chrome). If the loop is gone in the other browser, the issue is definitely browser-specific — clearing cookies in your usual browser will fix it.
FIX 2: Check WordPress Address and Site Address Difficulty: Beginner | Time: 3 minutes
WordPress stores two URL settings in the database: the WordPress Address (where WordPress core files are) and the Site Address (the URL visitors use to reach your site). If these are set incorrectly — for example, one uses HTTP and the other uses HTTPS, or one has www and the other does not — WordPress cannot set authentication cookies correctly, causing the redirect loop.
How to check and fix (if you can access wp-admin)
- Go to Settings > General in your WordPress admin
- Check the WordPress Address (URL) and Site Address (URL) fields
- Both must match your actual domain exactly — same protocol (http or https), same www preference
- Common mismatches to look for:
- WordPress Address: https://www.yourdomain.com | Site Address: https://yourdomain.com (www mismatch)
- WordPress Address: http://yourdomain.com | Site Address: https://yourdomain.com (HTTP vs HTTPS)
- WordPress Address: https://yourdomain.com/wordpress | Site Address: https://yourdomain.com (subfolder mismatch)
- Correct both fields so they match exactly, then click Save Changes
- Clear your cache and try logging in
NOTE If you cannot access wp-admin because the loop prevents you from logging in, use Fix 3 below to correct the URLs directly in wp-config.php — no admin access needed.
FIX 3: Force Correct URLs in wp-config.php Difficulty: Beginner | Time: 3 minutes
This fix works even when you are completely locked out of wp-admin. By adding two lines to wp-config.php, you override whatever URL settings are stored in the database and force WordPress to use the correct domain.
Steps
- Connect to your site via FTP or cPanel File Manager
- Open wp-config.php for editing
- Add these two lines directly above the ‘That’s all, stop editing!’ comment:
define( ‘WP_HOME’, ‘https://yourdomain.com’ );
define( ‘WP_SITEURL’, ‘https://yourdomain.com’ );
- Replace yourdomain.com with your actual domain — use the exact URL you want visitors to use, including https:// if your site has SSL
- Save the file and try logging in
- Once you are back in, go to Settings > General and confirm both URL fields match what you set above
IMPORTANT Use https:// if your site has an SSL certificate installed (most sites do in 2026). Use http:// only if your site genuinely does not have SSL. Mixing these is one of the most common causes of the login loop.
FIX 4: Deactivate All Plugins via FTP Difficulty: Beginner | Time: 3 minutes
Security plugins, caching plugins, and login-enhancement plugins are common triggers for the login redirect loop. They can interfere with WordPress’s cookie-setting process or intercept the login redirect. Since you may not be able to access wp-admin, use the FTP method to deactivate all plugins at once.
Steps
- Connect to your site via FTP (FileZilla) or cPanel File Manager
- Navigate to /wp-content/
- Find the folder named plugins
- Rename it to plugins_disabled — this deactivates every plugin instantly
- Try logging in to wp-admin
- If you can now log in, a plugin is causing the redirect loop
- Rename the folder back to plugins
- Reactivate plugins one by one from the Plugins menu, testing login after each activation
- The plugin that triggers the loop when activated is the culprit — deactivate it and contact its developer
Most likely culprit plugins
- Security plugins — Wordfence, iThemes Security, All In One WP Security
- Caching plugins — WP Rocket, W3 Total Cache, LiteSpeed Cache (if misconfigured)
- Login redirect plugins — any plugin that customizes the post-login redirect URL
- Membership plugins — MemberPress, Restrict Content Pro, WooCommerce Memberships
TIP If a security plugin is the culprit, check its settings for a ‘login redirect’ or ‘force login’ option before removing it entirely — often just disabling one feature inside the plugin fixes the problem.
FIX 5: Fix an SSL/HTTPS Conflict Difficulty: Intermediate | Time: 5 minutes
If your site recently moved from HTTP to HTTPS (or vice versa), or if your SSL certificate was recently updated or changed, WordPress authentication cookies may be rejected by the browser because the cookie was set on a different protocol than the current one.
Signs this is an SSL issue
- The login loop started exactly when you installed an SSL certificate or enabled HTTPS
- Your browser shows a ‘not secure’ warning on the login page
- The URL in your address bar switches between http:// and https:// during the login redirect
Fix: Force HTTPS in wp-config.php
Add this line to wp-config.php, above the ‘That’s all, stop editing!’ comment:
define( ‘FORCE_SSL_ADMIN’, true );
Fix: Ensure your .htaccess redirects HTTP to HTTPS
Add these lines at the top of your .htaccess file, before the WordPress rules:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Fix: Check COOKIE_DOMAIN in wp-config.php
If you have a COOKIE_DOMAIN constant set in wp-config.php, make sure it matches your current domain exactly. A leftover COOKIE_DOMAIN from a previous domain can cause login cookies to be rejected:
// Remove or update this line if it exists and is wrong:
define( ‘COOKIE_DOMAIN’, ‘yourdomain.com’ );
IMPORTANT After making SSL-related changes, always clear your browser cookies completely (not just cache) before testing the login. Old HTTP cookies will conflict with the new HTTPS session.
FIX 6: Regenerate WordPress Security Keys and Salts Difficulty: Intermediate | Time: 5 minutes
WordPress uses secret security keys and salts stored in wp-config.php to encrypt authentication cookies. If these keys become corrupted — for example after a site migration, a hack, or a manual wp-config.php edit that introduced a syntax error — all existing cookies become invalid and every user gets redirected back to the login page.
Regenerating these keys invalidates all current login sessions (including your own) and forces a fresh login. This fixes corrupt cookie authentication issues.
Steps
- Go to this URL in your browser to generate fresh keys:
- Copy all 8 lines that appear on that page
- Open wp-config.php via FTP or File Manager
- Find the existing block of security keys — it looks like this:
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
… and so on for 8 lines
- Delete all 8 existing key lines and paste in the new ones you copied
- Save wp-config.php
- All users will be logged out. Log back in — the redirect loop should be gone
NOTE Regenerating security keys logs out every user on your site, including all admins. This is safe and by design. It is also a good security practice after any suspected compromise.
Special Case: Redirect Loop Only for One User
If only one specific user account experiences the login redirect loop while others can log in fine, the issue is account-specific rather than site-wide. Try these targeted fixes:
Reset that user’s password
- Go to Users > All Users in wp-admin (using a different admin account)
- Click the affected user
- Scroll down and click Generate Password or set a new one manually
- Save the changes and have the user try logging in with the new password
Check the user’s role
A plugin or security setting may have restricted login for that specific user role. Check that the user has an appropriate role (Editor, Administrator) and has not been accidentally set to Subscriber or a custom restricted role.
The user should clear their cookies
Individual cookie corruption is the most common cause of a per-user login loop. Ask the affected user to clear all browser cookies for your domain (follow Fix 1 steps above) and try again from a fresh browser session.
Frequently Asked Questions
Why does WordPress keep redirecting to the login page after I enter the correct password?
WordPress redirects back to the login page when it cannot set or read the authentication cookie after a successful login. This happens when the cookie domain does not match the URL you are visiting (caused by a URL mismatch in Settings), when your browser is blocking cookies from the site, or when a plugin is interfering with the redirect that follows a successful login. The quick test: try Incognito mode. If that works, clear your browser cookies.
I can log in on mobile but not on my desktop — what does that mean?
This confirms the issue is browser or cookie specific on your desktop, not a server or WordPress problem. Clear all cookies in your desktop browser for your domain (see Fix 1), then try again. If the problem is only in one specific browser on your desktop, try a different browser temporarily while you clear the cookies in the affected one.
The login redirect loop started after I migrated my site to a new domain — why?
Site migrations are the most common trigger for this error. When you move a site to a new domain, the WordPress Address and Site Address settings in the database still point to the old domain. WordPress tries to set cookies for the old domain, your browser rejects them for the new domain, and the loop begins. Fix 3 (forcing URLs in wp-config.php) resolves this in every migration case.
Can a login redirect loop mean my site was hacked?
Rarely, but yes — malware can inject code that interferes with the login process. If none of the fixes above work and your site recently showed unusual behavior (spam links, new admin users, unexpected content changes), run a malware scan with Wordfence or MalCare. A compromised wp-config.php or functions.php can cause login issues.
Will fixing the redirect loop log out all my users?
Most fixes (clearing cookies, fixing URLs, deactivating plugins) only affect your own session and do not impact other users. Fix 6 (regenerating security keys) is the exception — it logs out every user on the site simultaneously. Use Fix 6 only if all other fixes have failed.
How do I prevent the login redirect loop from happening again?
Three things prevent almost every recurrence: keep your WordPress Address and Site Address settings correctly configured (always matching your actual domain with the correct protocol); avoid having multiple caching or security plugins active simultaneously; and always clear the cache after any domain change, SSL update, or site migration. If you move your site to a new domain in future, update the URL settings in wp-config.php before anything else.
Wrapping Up
The WordPress admin login redirect loop is almost always caused by one of three things: a browser cookie issue, a URL mismatch in your WordPress settings, or a plugin conflict. Start by testing Incognito mode — if login works there, clear your cookies and you are done. If not, work through Fixes 2 through 6 in order.
The great news: none of these fixes require advanced technical knowledge, and most take under 5 minutes. Your content, users, and database are completely safe throughout.