Introduction

A login redirect loop happens when WordPress accepts the form submit but fails to preserve a valid authenticated session. Users enter correct credentials, see a page refresh or redirect, and land right back on the login screen. The failure is usually in cookies, URL settings, caching, or proxy handling rather than the password itself.

Symptoms

  • Correct WordPress credentials return the user to /wp-login.php again
  • Admin pages redirect back to login instead of loading the dashboard
  • The issue appears after moving to HTTPS, Cloudflare, or a reverse proxy
  • Clearing one browser works temporarily but the problem returns
  • Plugins or custom code changed authentication, cookies, or redirects recently

Common Causes

  • home and siteurl values do not match the actual canonical domain or protocol
  • Proxy or load balancer settings stop WordPress from detecting HTTPS correctly
  • Security, caching, or login plugins interfere with auth cookies or redirects
  • Browser cookies are blocked, stale, or scoped to the wrong domain
  • Mixed domain usage such as www and non-www breaks session continuity

Step-by-Step Fix

  1. Confirm the issue with a known-correct admin account and note whether it happens on both www and non-www versions of the site.
  2. Check the WordPress home and siteurl values in the database or configuration and make sure they exactly match the intended public URL.
  3. Clear browser cookies for the site and test in a fresh private session so stale cookies do not hide whether the server-side fix worked.
  4. Disable caching, security, or custom auth plugins one by one if the loop started after a plugin change or hardening pass.
  5. Review reverse proxy, CDN, or load balancer configuration so WordPress correctly detects HTTPS and does not issue conflicting redirects.
  6. Check for forced redirects in .htaccess, Nginx rules, or custom code that bounce users between www, non-www, HTTP, and HTTPS.
  7. Verify that cookie domain settings are not pinned to the wrong hostname and are not being overridden by old constants in wp-config.php.
  8. Re-test login, dashboard navigation, and logout flow after each correction so you can isolate the real cause.
  9. Keep one canonical domain, one HTTPS policy, and a minimal login stack so future auth changes do not recreate the loop.