Login Page Redirect Loop

You enter your correct username and password, hit Log In, and WordPress dumps you right back on the login page. No error message, no explanation — just an endless loop. This is one of the most maddening WordPress issues because everything looks fine, but the authentication cookie never sticks.

The root cause is almost always a mismatch between what WordPress thinks the site URL is and what your browser is actually requesting. Cookies get set for one domain but the redirect points to another, so WordPress never sees you as logged in.

What Causes Login Page Redirect Loop?

1. Mismatched Site URL and WordPress URL — The siteurl and home values in your database don’t match what’s in the browser (e.g., www vs non-www, or http vs https).
2. Corrupted cookies — Stale or conflicting cookies from a previous WordPress install on the same domain prevent the new auth cookie from being recognized.
3. Broken .htaccess rules — Custom redirect rules or conflicting rewrite directives create a loop before WordPress even processes the login.
4. Plugin conflict — Security plugins, caching plugins, or custom login plugins can intercept the authentication flow and break cookie handling.
5. Incorrect wp-config.php settings — Hardcoded WP_HOME or WP_SITEURL values that don’t match reality, or a missing cookie domain definition on multisite.

How to Fix It

Step 1: Clear Your Browser Cookies

Before touching any files, rule out the simplest cause. Clear cookies specifically for your domain — not all cookies, just the ones for your site.

In Chrome: Settings → Privacy → Cookies → See all site data → search for your domain → Remove.

If you can log in after clearing cookies, the problem was stale auth cookies. Skip to the Prevention section. If not, keep going.

Step 2: Force the Site URL in wp-config.php

This is the fix 80% of the time. Connect to your server via FTP or SSH and open wp-config.php in your site root. Add these lines above the /* That's all, stop editing! */ comment:

define('WP_HOME', 'https://yourdomain.com');
define('WP_SITEURL', 'https://yourdomain.com');

Replace https://yourdomain.com with your actual URL. Pay attention to:

• https vs http — must match your SSL setup
• www vs non-www — must match what users type

Save the file and try logging in again. If this works, go into Settings → General after login and verify both URLs match, then remove the lines from wp-config.php so the database values take over.

Step 3: Reset.htaccess

If step 2 didn’t fix it, your .htaccess file might be corrupted. Via FTP or SSH, navigate to your site root and rename the file:

mv.htaccess.htaccess.backup

Then create a fresh .htaccess with default WordPress rewrite rules:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule. /index.php [L]
</IfModule>
# END WordPress

Try logging in. If it works, the old .htaccess had conflicting rules — don’t just restore it. Review .htaccess.backup line by line and only re-add rules you actually need.

Step 4: Deactivate All Plugins

Still stuck? A plugin is likely hijacking the login flow. Rename the plugins directory via FTP:

mv wp-content/plugins wp-content/plugins-disabled

Or if you have WP-CLI access and can run commands from the server:

wp plugin deactivate --all --path=/var/www/html

Try logging in. If it works, create a fresh wp-content/plugins directory, then move plugins back one at a time from plugins-disabled, logging in after each one to find the culprit.

The usual suspects: Wordfence, iThemes Security, WP Super Cache with aggressive settings, and any plugin that modifies the login page.

Step 5: Check the Database Directly

If nothing above works, the siteurl or home values in the database are wrong and the wp-config.php defines aren’t overriding them (rare, but it happens with object caching). Connect to your database via phpMyAdmin or the MySQL CLI:

SELECT option_name, option_value 
FROM wp_options 
WHERE option_name IN ('siteurl', 'home');

If the values don’t match your actual domain, update them:

UPDATE wp_options SET option_value = 'https://yourdomain.com' WHERE option_name = 'home';
UPDATE wp_options SET option_value = 'https://yourdomain.com' WHERE option_name = 'siteurl';

Replace wp_options with your actual table prefix if you changed it during install.

Step 6: Define the Cookie Domain

For multisite installs or sites that recently changed domains, WordPress may not know where to set the auth cookie. Add this to wp-config.php:

define('COOKIE_DOMAIN', 'yourdomain.com');
define('COOKIEPATH', '/');

This forces WordPress to set cookies for the correct domain and path. On single-site installs, this is rarely needed — but when it’s the problem, nothing else fixes it.

Prevention

• Never change your site URL from the General Settings page without a backup. Use WP-CLI instead: wp option update home 'https://newdomain.com' — it’s atomic and less error-prone.
• Use a staging environment for any plugin that modifies authentication, login pages, or cookie handling. Test login flow on staging before deploying to production.
• Keep WP_DEBUG enabled on staging so you catch redirect issues early. Add define('WP_DEBUG', true); and define('WP_DEBUG_LOG', true); to wp-config.php — then check wp-content/debug.log for cookie and redirect warnings.
• Lock your SSL configuration. Mixed http/https is the single biggest cause of this loop. Force HTTPS at the server level (via your host’s dashboard or an .htaccess redirect) and never look back.

Last verified: April 2026

Related reading

• plugin
• Jetpack Security vs Wordfence (2026): Protection Compared
• Wordfence vs Sucuri (2026): Best WordPress Security Plugin?
• multisite
• wp-cli
• dashboard