WordPress Login Redirect Loop: Why wp-admin Keeps Sending You Back to the Login Page

Locked out of your own website

There are few things more frustrating than being unable to access the admin panel of a website you own. You know the password is correct. You even reset it to be sure. But every time you log in, WordPress redirects you straight back to wp-login.php as if you never authenticated at all.

Meanwhile, your site might be working perfectly fine for visitors. The homepage loads. Blog posts are visible. But you cannot manage anything. You cannot update plugins, publish content, respond to comments, or fix a security issue. You are locked out of your own property.

Or worse — the redirect loop is not just affecting wp-admin. Sometimes the loop affects the front end too, and your visitors see a browser error: "This page isn't working. yoursite.com redirected you too many times." That version locks everyone out — you and your visitors.

The login redirect loop is insidious because it gives you no error message from WordPress itself. There is no "critical error" screen. There is no white screen. The login page looks completely normal. It just refuses to let you in. And because the front end can still work, standard uptime monitoring reports everything as fine.

What causes the WordPress login redirect loop

The login redirect loop happens when WordPress cannot verify your authentication session after you log in. You submit your credentials, WordPress validates them, sets a cookie, and redirects you to wp-admin. But when wp-admin loads, WordPress checks for the cookie, does not find it or does not trust it, and sends you back to the login page to authenticate again. This creates an infinite loop.

There are several reasons this chain breaks. Each one requires a different fix.

1. Browser cookie issues

WordPress authentication depends entirely on cookies. When you log in, WordPress sets two cookies: wordpress_logged_in_[hash] and wordpress_[hash]. Your browser must store these cookies and send them back with every request to wp-admin. If your browser blocks cookies, has stale cookies from a previous installation, or has a privacy extension that strips cookies, the login loop occurs.

How to fix it: Clear all cookies for your domain in your browser settings. If you use a privacy extension like uBlock Origin, Privacy Badger, or a cookie auto-delete tool, temporarily disable it. Try logging in using a private or incognito window — this starts with a clean cookie jar and eliminates browser-side causes immediately. If it works in incognito, the problem is a browser extension or cached cookie.

2. WordPress Address and Site Address mismatch

WordPress stores two URLs in its options table: siteurl (WordPress Address) and home (Site Address). These must match exactly. If one says https://www.yoursite.com and the other says https://yoursite.com — or one uses http and the other uses https — the cookie domain does not match the redirect target, and the login loop begins.

This commonly happens after migrating a site to a new domain, enabling SSL, or changing the URL in Settings > General without updating both fields. Since you are locked out of wp-admin, you cannot fix it from the dashboard.

How to fix it: Connect to your database via phpMyAdmin (available in most hosting control panels). Open the wp_options table. Find the rows where option_name is siteurl and home. Make sure both values are identical — same protocol (https), same domain, same www or non-www format. Save the changes and try logging in again. Refer to the WordPress wp-config documentation for more details on hardcoding these values.

3. Plugin conflict on login

Security plugins, caching plugins, and custom login plugins hook into the WordPress authentication process. If a plugin modifies the login flow, the redirect behaviour, or the cookie handling, it can break the authentication chain. This is especially common with plugins that add two-factor authentication, custom login pages, or aggressive page caching that caches the login page itself.

A caching plugin that caches the wp-login.php page will serve a stale version that does not process your login form submission. The form posts to a cached page, the server never receives your credentials, and you are redirected back to the login form.

How to fix it: Via FTP or your hosting file manager, navigate to /wp-content/plugins/. Rename the entire plugins folder to plugins-disabled. This deactivates all plugins at once. Try logging in. If the loop stops, one of your plugins is the cause. Rename the folder back to plugins, then rename individual plugin folders one by one to find the culprit. Start with any security plugin, caching plugin, or custom login plugin.

4. Incorrect cookie constants in wp-config.php

WordPress allows you to define the cookie domain and cookie path in wp-config.php using constants. If these are set incorrectly — for example, pointing to the wrong domain, an old domain, or a subdirectory that does not match your installation — cookies are set for the wrong scope and WordPress cannot read them back.

How to fix it: Open wp-config.php via FTP. Search for these lines:

define('COOKIE_DOMAIN', 'yoursite.com');
define('COOKIEPATH', '/');
define('SITECOOKIEPATH', '/');
define('ADMIN_COOKIE_PATH', '/wp-admin');

If these lines exist, verify the domain matches your current domain exactly. If you are not sure, comment them out by adding // at the start of each line. WordPress will use its default cookie settings, which work correctly in standard installations.

5. SSL and mixed content forcing redirect

If you recently added an SSL certificate and forced HTTPS but did not update your WordPress URLs, or if your hosting provider is handling SSL at the load balancer level while WordPress thinks it is running on HTTP, the login form can get stuck in a redirect loop. WordPress sets cookies for HTTPS, but the redirect goes to HTTP (or vice versa), and the cookies do not travel across the protocol boundary.

How to fix it: First, ensure both siteurl and home in the database use https://. Then, if your hosting uses a reverse proxy or load balancer, add this to wp-config.phpbefore the "That's all, stop editing" comment:

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') { $_SERVER['HTTPS'] = 'on'; }

This tells WordPress that the connection is secure even though the server itself receives HTTP from the load balancer. The WordPress wp-config.php documentation covers this and other reverse proxy configurations.

6. Corrupted .htaccess file

The .htaccess file controls URL rewriting on Apache servers. A malformed rewrite rule — from a plugin, a manual edit, or a failed update — can create a redirect loop that specifically targets wp-login.php or wp-admin. The browser follows the redirects until it hits the browser limit and displays the "too many redirects" error.

How to fix it: Via FTP, rename .htaccess to .htaccess-backup. Try logging in. If the loop stops, the .htaccess file was the problem. Log into wp-admin, go to Settings > Permalinks, and click Save Changes without changing anything. WordPress regenerates a clean .htaccess file.

Why standard uptime monitoring misses the login redirect loop

If the redirect loop only affects wp-admin and wp-login.php, your front end can appear completely normal. A standard HTTP monitor checking your homepage sees a 200 OK response and reports your site as up. Your monitoring dashboard is green.

But you cannot manage your site. You cannot publish that urgent blog post. You cannot update the plugin with the critical security patch. You cannot process the WooCommerce order that is sitting in the queue. Your site looks alive, but you have lost control of it.

Even if you monitor wp-login.php directly, a basic HTTP check might follow one redirect and see a 200 response — the login page itself — and report it as healthy. It does not know that logging in leads to an infinite loop. You need a monitor that follows the full redirect chain and flags when the number of redirects exceeds a reasonable threshold.

How to detect the login redirect loop with Uptrue

Uptrue's HTTP monitoring follows redirect chains and detects when a URL enters a loop. Combined with keyword monitoring, you get complete coverage of both the admin panel and the front end.

Step 1: Set up an HTTP monitor on wp-admin

1. Sign up at uptrue.io/signup (free plan available)
2. Click Add Monitor from your dashboard
3. Select HTTP/HTTPS as the monitor type
4. Enter your wp-admin URL: https://yoursite.com/wp-admin/
5. Set expected status to 200 or 302 (a single redirect to the login page is normal for unauthenticated requests)
6. Set the check interval to 5 minutes
7. Configure alerts — Slack, email, or Microsoft Teams

When a redirect loop occurs, the server returns repeated 302 redirects that never resolve to a final 200 page. Uptrue detects this as a failure and alerts you immediately. A normal wp-admin check returns a single 302 to the login page — but a loop produces a chain of redirects that exceeds the follow limit.

Step 2: Add a keyword monitor on your homepage

1. Click Add Monitor again
2. Select Keyword as the monitor type
3. Enter your homepage URL
4. Set the keyword to your site title or a tagline that always appears on the page
5. Set the check type to "Page must contain"
6. Set the interval to 1 minute

This confirms that even when wp-admin is in a loop, your visitors can still see your content. If both monitors go red, the redirect loop has spread to the front end and the situation is critical.

Step 3: Add a keyword monitor to detect the browser error

1. Add a Keyword monitor for your homepage
2. Set the keyword to "redirected you too many times"
3. Set the check type to "Page must NOT contain"
4. Set the interval to 1 minute

If the redirect loop reaches the front end, browsers display an error page. Uptrue detects the absence of your normal content or the presence of redirect error text and alerts you before your visitors start complaining.

Step 4: Configure alerts that reach you immediately

A login redirect loop can persist for hours or days because your front end still works and you have no reason to log into wp-admin. By the time you notice, a plugin has been out of date for a week, or a security patch has gone uninstalled. Configure your alerts to go where you will see them:

• Slack — instant notification in a dedicated channel
• Microsoft Teams — same idea, different platform
• Email — fine as a backup, but not fast enough for emergencies
• Webhook — pipe alerts into PagerDuty, Opsgenie, or your own incident management system

Preventing the login redirect loop

Once you fix the loop, these habits keep it from coming back.

Keep your URLs consistent

Decide on one canonical URL format — www or non-www, http or https — and stick with it everywhere. In the database, in wp-config.php, in your DNS settings, and in your SSL configuration. Any mismatch between these locations is a redirect loop waiting to happen.

Exclude login pages from caching

If you use a caching plugin (WP Super Cache, W3 Total Cache, WP Rocket, or similar), verify that wp-login.php and wp-admin are excluded from the page cache. Most caching plugins do this by default, but custom rules or server-level caching (Varnish, Nginx FastCGI Cache) might not respect WordPress login cookies.

Test plugin updates one at a time

Security plugins and caching plugins are the most common culprits. Update them individually. After each update, verify that you can log out and log back in. If a plugin update breaks authentication, you know immediately which one caused it.

Keep a backup of wp-config.php

Before making any changes to wp-config.php, download a copy. If your edits cause a login loop, you can restore the original file in seconds. A broken wp-config.php can lock you out of your site completely.

Stop finding out from your customers

The WordPress login redirect loop is silent. Your front end can look perfectly healthy while you are completely locked out of your admin panel. No error message. No WordPress notification. No monitoring alert if you are only checking the homepage.

Uptrue monitors your wp-admin URL directly. When a redirect loop starts, you know in minutes — not when you next try to log in and find yourself staring at the same login form for the fifth time.

One minute checks. HTTP and keyword monitoring. Slack, Teams, email, and webhook alerts. Full redirect chain analysis that catches loops before your browser does.

Frequently asked questions