How to Fix WordPress Login Page Refreshing and Redirecting Issue
When your WordPress login page keeps refreshing or redirecting back to itself after entering correct credentials, the most common cause is a browser cookie issue, a caching plugin caching the login page, or a mismatch between your WordPress URL settings and the URL you are actually using. The fastest fix is to clear your browser cookies for your WordPress site and try again. If that does not work, check your caching plugin’s settings to ensure wp-login.php is excluded from caching.
This is one of the most frustrating WordPress errors because everything appears to work — you enter your username and password, click “Log In,” and the page simply reloads as if nothing happened. No error message. No indication of what went wrong. Just the login form again, mocking you. The root cause is almost always an issue with how WordPress sets or reads the authentication cookie that proves you are logged in.
What Causes the Login Refresh Loop?
Browser cookie issues. When you log in, WordPress sets an authentication cookie in your browser. On the next page load, WordPress checks for this cookie to confirm you are logged in. If the cookie was not set correctly, was blocked by your browser, or was set for the wrong domain, WordPress does not recognise you as authenticated and sends you back to the login page.
Caching plugin caching the login page. If your caching plugin caches wp-login.php or the wp-admin area, the cached page may contain invalid nonces (security tokens) or may serve a static version of the login form that does not properly process authentication. Most caching plugins exclude these pages automatically, but misconfigurations happen.
WordPress URL mismatch. If the URL in your browser does not match the WordPress Address or Site Address in your WordPress settings (for example, you access the site via www.yourdomain.com but WordPress is configured for yourdomain.com without www), the authentication cookie — which is set for a specific domain — will not be read correctly.
SSL/HTTPS issues. If your WordPress URL uses HTTPS but the login page is loading over HTTP (or vice versa), the cookie domain mismatch can cause the login loop. This is especially common after partially implementing SSL — the site works on HTTPS but the login process still references HTTP URLs.
Plugin conflicts. Certain plugins — particularly security plugins, custom login plugins, and membership plugins — modify the login process and can introduce conflicts that prevent authentication cookies from being set or read correctly.
Incorrect cookie domain in wp-config.php. If your wp-config.php file contains explicit COOKIE_DOMAIN or COOKIEPATH constants that do not match your actual domain, cookies will be set for the wrong domain and the login loop occurs.
Step 1: Clear Browser Cookies and Cache
This fixes the problem approximately 30% of the time. Clear all cookies for your WordPress site’s domain in your browser settings. Also clear your browser cache. Then try logging in again.
In Chrome, go to Settings → Privacy and Security → Cookies and other site data → See all cookies and site data. Search for your domain. Delete all cookies for that domain. Alternatively, try logging in using an incognito/private browsing window — this uses a clean session with no cached data or existing cookies.
If logging in works in incognito but not in your normal browser, the issue is definitely a cookie or cache problem in your browser. Clear all browsing data for your site’s domain and the issue should resolve.
Step 2: Check Your Caching Plugin
If clearing browser cookies did not help, check your caching plugin’s configuration. The following pages and URLs should NEVER be cached:
/wp-login.php — the login page itself. /wp-admin/* — the entire admin area. Any URL containing wordpress_logged_in (the authentication cookie name). Any URL containing wp-postpass_ (the password-protected post cookie).
Most caching plugins (WP Rocket, LiteSpeed Cache, W3 Total Cache) exclude these by default. But verify manually — especially if you recently migrated, updated your caching plugin, or changed caching configurations. See our caching plugin comparison for details on how each plugin handles these exclusions.
If you use a CDN like Cloudflare, also check your CDN caching rules. Cloudflare should not cache wp-login.php or any wp-admin URLs. Create page rules to bypass caching for these paths if they are not already excluded.
After adjusting caching settings, clear the cache completely and try logging in again.
Step 3: Verify WordPress URL Settings
A mismatch between the URL you type in your browser and the URL WordPress expects causes cookie domain conflicts. The most common mismatch is www vs non-www — accessing your site at www.yourdomain.com while WordPress is configured for yourdomain.com (or vice versa).
If you can access the admin via a different URL: Try logging in at yourdomain.com/wp-login.php instead of www.yourdomain.com/wp-login.php (or vice versa). If one works but the other does not, you have a URL mismatch. Go to Settings → General and verify both “WordPress Address (URL)” and “Site Address (URL)” match the URL you want to use.
If you cannot access the admin at all: Fix the URL via wp-config.php. Add these lines (using the URL that matches what visitors use to access your site):
define('WP_HOME', 'https://yourdomain.com');
define('WP_SITEURL', 'https://yourdomain.com');
Read our complete guide on changing your WordPress URL for all available methods.
Step 4: Check for SSL/HTTPS Issues
If your site has SSL but HTTPS is not consistently enforced, the login process can break. Verify that both your WordPress Address and Site Address use https://. Verify that your wp-login.php page loads with a valid HTTPS connection (check for the padlock icon in your browser). If you see mixed content warnings on the login page, those need to be fixed.
Also check if your wp-config.php file contains the line define('FORCE_SSL_ADMIN', true);. If it does, ensure your SSL certificate is properly installed and covers the domain you are using. If the SSL certificate is expired or invalid, FORCE_SSL_ADMIN can create a loop where WordPress tries to redirect to HTTPS but the HTTPS connection fails, sending you back to HTTP, which redirects to HTTPS again. Read about fixing “Your Connection Is Not Private” errors if your SSL certificate is the issue.
Step 5: Deactivate Plugins via FTP
If the above steps have not resolved the login loop, a plugin conflict is likely the cause. Since you cannot access the admin to deactivate plugins, do it via FTP.
Connect to your site via FTP or your hosting file manager. Navigate to /wp-content/. Rename the plugins folder to plugins-disabled. Try logging in. If the login works, one of your plugins was causing the loop.
Rename the folder back to plugins (all plugins will be deactivated but intact). Log in to your admin. Reactivate plugins one at a time, logging out and back in after each, to identify which plugin causes the loop. Common culprits include security plugins that modify the login process, custom login page plugins, membership and user management plugins, and caching plugins (covered in Step 2).
See our plugin conflict troubleshooting guide for the detailed process.
Step 6: Check wp-config.php Cookie Constants
WordPress sets authentication cookies based on the site URL by default. However, wp-config.php can contain explicit cookie configuration constants that override the defaults. Open your wp-config.php and look for any of these lines:
define('COOKIE_DOMAIN', 'yourdomain.com');
define('COOKIEPATH', '/');
define('SITECOOKIEPATH', '/');
define('ADMIN_COOKIE_PATH', '/wp-admin');
If any of these exist and the values do not match your actual domain and WordPress installation path, they could be causing the login loop. The safest fix is to remove or comment out these lines entirely — WordPress will use the correct default values based on your site URL settings. After removing them, clear your browser cookies and try logging in.
Step 7: Check for Server-Level Issues
In rare cases, the login loop is caused by server-level configuration issues.
PHP session handling. Some hosting environments have misconfigured PHP session settings that prevent WordPress from setting cookies properly. Check your PHP session configuration in your hosting control panel or php.ini file. Ensure session.save_path points to a writable directory.
Reverse proxy or load balancer. If your site is behind a reverse proxy (like Cloudflare, a CDN, or a load balancer), the proxy may be stripping or modifying cookie headers. Ensure your proxy is configured to pass through Set-Cookie headers from your WordPress server.
Server time drift. WordPress authentication cookies include timestamps. If your server’s clock is significantly out of sync, cookies may be treated as expired immediately after being set. Contact your hosting provider to verify server time accuracy.
Frequently Asked Questions
The login loop happens only on one computer. What is different?
If the login works on other devices or in incognito mode but not in your normal browser, the issue is browser-specific. A browser extension (ad blocker, privacy extension, cookie manager) may be blocking WordPress’s authentication cookies. Try disabling all browser extensions and logging in. If it works, re-enable extensions one at a time to find the culprit.
I can log in to wp-admin but get redirected when trying to access a specific admin page.
This is different from a full login loop — it suggests you can authenticate but a specific admin page has a redirect issue. Check your user role permissions (you may not have access to the page you are trying to reach), check for plugin conflicts on that specific admin page, and verify that the page’s URL is correctly formed.
The login loop started after installing an SSL certificate. How do I fix it?
Update both WordPress Address and Site Address in Settings → General (or via wp-config.php) to use https://. Clear all browser cookies. If FORCE_SSL_ADMIN is set in wp-config.php, verify your SSL is working properly. Also run a search-and-replace in your database to update any remaining http:// references to https://. See our mixed content guide.
Can malware cause a login loop?
Yes. Malware that modifies wp-login.php, hooks into the authentication process, or injects redirects can cause login loops. If you suspect malware, check your wp-login.php file against a clean copy from wordpress.org. If the file has been modified, your site may be compromised. Read our malware removal guide or contact our malware removal service.
Need Expert Help? Let WP Ministry Handle It
Login loops are frustrating because they lock you out of your own dashboard, making troubleshooting from within WordPress impossible. Our 24/7 team can access your site via FTP and server-level tools to diagnose and resolve the issue — even when you cannot get into wp-admin.
Call (901) 249-0909 for immediate assistance. One-time fixes start at $199 through our one-time fix service. Or choose a care plan for ongoing maintenance and 24/7 support access.
Related Articles
How to Change Your WordPress Login URL (Hide wp-login.php)
How to Set Up Two-Factor Authentication in WordPress
How to Fix WordPress Plugin Conflicts (Troubleshooting Guide)