Fix WordPress Login Redirect Loop Behind Reverse Proxy or SSL Offloader

Introduction

WordPress login loops are common when HTTPS is terminated before the PHP origin. If WordPress thinks the request is HTTP while the browser is on HTTPS, cookies and redirects become inconsistent and wp-login.php keeps bouncing back to itself or to wp-admin.

Symptoms

Submitting the login form returns to the same login page without an error
/wp-admin/ redirects back to wp-login.php even after a successful password entry
The issue started after adding Cloudflare, Nginx Proxy Manager, or a load balancer
Mixed values appear for siteurl, home, or forwarded protocol headers

Common Causes

WordPress does not trust the forwarded HTTPS header from the proxy
siteurl and home use different schemes or host names
The proxy sends the wrong X-Forwarded-Proto header
Cookies are issued for HTTP while the browser is on HTTPS

Step-by-Step Fix

1.Confirm the browser and origin disagree about the request scheme
2.Inspect response headers and WordPress settings before changing plugins or cookies.

bash

curl -I https://example.com/wp-login.php
wp option get siteurl
wp option get home

1.Make sure the proxy forwards HTTPS correctly
2.The origin must receive a trustworthy indication that the client is using HTTPS.

nginx

proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

1.Teach WordPress to respect the forwarded HTTPS header
2.If SSL terminates upstream, set the HTTPS server flag in wp-config.php before WordPress loads.

php

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
    $_SERVER['HTTPS'] = 'on';
}

1.Clear cookies and retest the login flow
2.Old cookies can preserve the broken scheme behavior even after the proxy and config are fixed.

bash

wp cache flush

Prevention

Standardize forwarded header handling on every reverse proxy in front of WordPress
Keep siteurl and home aligned on one canonical HTTPS URL
Re-test wp-login after any CDN, proxy, or load balancer change
Document SSL termination points in the hosting runbook

Recommended hosting recovery options

Disclosure: FixWikiHub may earn a commission from clearly disclosed partner links.

SiteGround

Staging, backups, and managed WordPress tooling can help when you need a cleaner recovery environment.

Review SiteGround

WP Engine

Isolated environments, restore points, and platform controls can reduce recovery risk during major fixes.

Review WP Engine

WordPress Login Redirect Loop Behind a Reverse Proxy or SSL Offloader

Introduction

Symptoms

Common Causes

Step-by-Step Fix

Prevention

Share this guide

More WordPress Troubleshooting Guides

WordPress Site Health Critical Issues

WordPress MySQL Version Incompatible

WordPress PHP Version Incompatible

WordPress Redirect Chain

WordPress Duplicate Post Content

WordPress Thumbnails Not Generating