WordPress Login Page Keeps Refreshing or Redirecting
What Is This Error?
This error happens when you try to log into your WordPress dashboard and instead of landing on the admin screen, the browser just reloads the login page. You type your username and password, click Log In — and end up right back at the same form. No error message, no explanation, just an endless loop.
The frustrating part is that your credentials are usually correct. WordPress is accepting them, starting a session — and then something goes wrong before it can redirect you to wp-admin. The site essentially forgets you just logged in.
This is almost always a cookie problem. WordPress sets an authentication cookie in your browser after a successful login. If something prevents that cookie from being stored or read back — a URL mismatch, a broken config file, or a caching plugin — the login system can’t confirm who you are and sends you back to start.
Get free WordPress & AI tips
Join 500+ readers. No spam, unsubscribe anytime.
Why Does This Happen?
- WordPress URL mismatch: If your WordPress Address and Site Address don’t match exactly — one using “www” and the other not, or one on HTTP while the other is HTTPS — the authentication cookie gets set for the wrong domain and is immediately rejected.
- Corrupted .htaccess file: A bad rewrite rule in .htaccess can intercept login requests and bounce them into a redirect loop before WordPress finishes setting your session cookie.
- Caching plugin conflict: Aggressive caching plugins sometimes serve a static cached copy of the login page instead of letting WordPress process your credentials, so the session is never actually created.
- Stale browser cookies: Old WordPress authentication cookies sitting in your browser can clash with new login attempts, causing the session check to fail silently and send you back to the form.
- HTTP to HTTPS migration: After adding an SSL certificate, the site URL stored in the database often still begins with “http://”. The cookie is created for one origin and the browser rejects it on the other, triggering the loop.
How to Fix It — Step by Step
- Clear your browser cookies and cache. Open your browser settings, go to Privacy or History, and clear both cookies and cached files — not just one or the other. Close the browser completely, reopen it, and try logging in.
You should see: A fresh login page with no pre-filled fields. Attempt to log in before moving on.
- Test in an incognito window or a different browser. Open a private/incognito window and navigate directly to your wp-login.php URL. This rules out browser-level cookie interference entirely.
You should see: If login succeeds here, your browser’s stored cookies were the culprit. If the loop continues, move to Step 3.
- Fix your site URL via wp-config.php. Connect to your server using FTP or cPanel File Manager, open wp-config.php, and add these two lines directly above the “That’s all, stop editing!” comment:
define('WP_HOME', 'https://yourdomain.com'); define('WP_SITEURL', 'https://yourdomain.com');Replace the URL with your actual address. Use the exact format your site runs on — include “www” if your site uses it, and “https” if SSL is active. These values override whatever is stored in the database.
You should see: The login page loads and you are redirected to wp-admin after submitting credentials. If this works, you have found the fix.
- Reset your .htaccess file. Via FTP, go to your WordPress root directory and rename .htaccess to .htaccess_backup. Then create a new file named .htaccess with the default WordPress content below:
# BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPressYou should see: Successful login to wp-admin. Afterward, navigate to Settings → Permalinks and click Save Changes to let WordPress regenerate the correct .htaccess rules for your permalink structure.
- Disable all plugins via FTP. In your FTP client, navigate to wp-content/ and rename the plugins folder to plugins_disabled. This deactivates every plugin simultaneously without needing dashboard access.
You should see: Login succeeds. Rename the folder back to plugins, then go to the Plugins screen and reactivate them one at a time — testing login after each activation — until the loop returns. That last plugin is your culprit.
Common Mistakes When Fixing This
- Clearing cache but skipping cookies: Your browser stores these separately. Clearing only the cache leaves old authentication tokens intact and the loop continues. Always clear both cookies and cache in the same action.
- Using an inconsistent URL format in wp-config.php: If you add the WP_HOME and WP_SITEURL defines but write a URL that doesn’t match what your server actually serves — for example adding “www” when your DNS resolves to the bare domain — you create a fresh mismatch on top of the original one. Double-check your live URL first.
- Re-enabling all plugins at once after testing: If disabling plugins broke the loop, bulk-activating them again makes it impossible to identify the offender. Always reactivate one at a time and verify login after each step.
- Missing the HTTP vs HTTPS difference: Many people look for a www/non-www mismatch but overlook the protocol. A site running on HTTPS with a database URL still set to “http://yourdomain.com” will loop on every single login. Both the WP_HOME and WP_SITEURL defines must use the exact correct protocol.
Frequently Asked Questions
Will fixing this delete any of my posts or settings?
No. Every step in this guide — editing wp-config.php, resetting .htaccess, and temporarily disabling plugins — leaves your posts, pages, media files, and database records completely untouched. These are configuration-level changes only.
What if I cannot even reach the login page because the redirect kicks in immediately?
Use phpMyAdmin to edit your database directly. Open the wp_options table and find the rows with option_name values of siteurl and home. Update both option_value fields to your correct site URL, save the changes, and try navigating to wp-login.php again.
This started right after I installed an SSL certificate — is that the cause?
Almost certainly yes. When a site moves to HTTPS, the old HTTP address often remains in the database. WordPress sets the login cookie for the HTTPS origin, but the stored URL is still HTTP — the browser treats these as different hosts and discards the cookie. Adding WP_HOME and WP_SITEURL in wp-config.php with the https:// prefix corrects this immediately.
A caching plugin caused this — how do I stop it from happening again?
Open your caching plugin’s settings and locate its page exclusion or exception list. Add /wp-login.php and /wp-admin/ as paths that must never be cached. This tells the plugin to always serve those pages dynamically, allowing WordPress to process credentials and set session cookies correctly every time.
