How to Fix the WordPress Login Redirect Loop Issue

The WordPress login redirect loop is a common issue that no WordPress website owner is safe from. You enter your admin credentials, but instead of loading the admin dashboard, WordPress returns you to the login page. Most tutorials suggest you clear your browser cache and cookies, but it’s not likely to fix the WordPress redirect error.

Although you may also think that the WordPress login redirect loop is related to the “Too many redirects” error, it is not that simple. There are a number of reasons why WordPress refuses to log you in. And most of the time, there won’t be a typical redirect loop present.

Follow our comprehensive guide to the WordPress login redirect loop. You’ll learn why WordPress refuses to log you in and how to restore access to the WordPress admin panel.

How Does WordPress Log You In to the Admin Dashboard?

Your admin dashboard is one of the most important areas of your website. It is a great example of how WordPress manages the client-server communication. Once you open the WordPress admin panel, most of the tasks like content management are performed in your browser. It will then exchange information with the server.

WordPress needs to ensure that your browser can communicate with the server and send data to the WordPress database. It also needs to maintain your user session and keep you logged in.

So what happens when you log in to the WordPress admin panel? Whether you leave the default admin dashboard address or change it for WordPress login security, WordPress will still take the same steps to log you in. Let’s review the authentication process step-by-step.

WordPress Authentication

You open your WordPress login window, enter your admin username and password, and click on the Login button. WordPress takes the values you have provided and calls its authentication function to verify if the login information is valid. To do so, it needs to compare the submitted credentials to the data stored in the wp_users table of your WordPress database.

The admin user password is not stored in the wp_users table in plain text, so is the password you enter on login. WordPress salts and security keys are used to secure your login credentials by encrypting them, so what WordPress really does is compare the hashes during the authentication process.

WordPress Login Cookies

Once you log in to the WordPress dashboard, your admin credentials are encrypted with the help of salts and security keys from the wp-config.php file, and are saved in the wordpress_[hash], or authentication, cookie. Cookies are small pieces of data stored by your browser for authentication and verification purposes. WordPress uses two types of cookies to keep you logged in to the WordPress admin panel while you perform website administration tasks.

Once the authentication cookie is saved on the login attempt, WordPress parses it to a token and a hash and compares the hashed information to that stored in the wp_users database for the username you entered. A match means that the password you provided is correct, and WordPress can grant you access to the admin panel.

After a successful login, WordPress creates a session for you, adding its information to the wp_usermeta table of its database. It will store your IP address, login time, browser user agent, and session expiration time in the meta_value column.

The generated WordPress authentication cookie saved in your browser will include your admin username, its hashed password, the session token, and the expiration time of the cookie. Upon login, WordPress will also save the wordpress_logged_in_[hash], or login, cookie. It will indicate the user you’re logged in as for most interface use.

As you can see, WordPress performs a whole set of operations to verify your admin credentials, open a session for you, and keep you logged in. You do not typically need to intervene in any way, but once your website does not allow you to go past the login page, you know – something went wrong as WordPress tried to take the steps outlined above to authenticate you.

What Does The WordPress Login Redirect Loop Mean?

The WordPress login redirect loop occurs when WordPress fails to perform all the steps of the authentication process. It can include an inability to call its core authentication functions or write to the database, which would make it impossible to save your session data to the wp_usermeta table.

WordPress Login Loop vs. WordPress Redirect Error

This is also what makes WordPress login redirect loop different from a typical redirect loop error in WordPress. WordPress login loop is essentially WordPress redirecting you back to the admin panel login page for another authentication attempt, since it failed to verify your login information during the previous one.

Redirect loop error in WordPress, also known as the “Too many redirects” error means that WordPress failed to load its admin dashboard due to an endless number of redirects followed. Although sometimes both issues can be caused by the same misconfigurations, most of the time they are not closely intertwined.

Both issues, however, can sometimes be fixed by clearing your browser cache and cookies. If this simple manipulation has helped you restore access to the admin dashboard, the issue was not on the server-side. Keep reading to learn what else can cause a WordPress login redirect loop on your website.

7 Main Reasons Behind The WordPress Login Redirect Loop

The WordPress login redirect loop indicates that WordPress has experienced critical issues in an attempt to authenticate you. As we discussed, issues can be encountered at all stages of the verification process — from calling the core authentication functions to writing your session data to the WordPress database and opening the admin dashboard.

This is why simply clearing your browser cache and cookies won’t always solve the issue and bring you closer to getting access to the Admin panel. Here are the seven main reasons behind a WordPress login loop:

• Incorrect WordPress site address settings
• Plugin conflicts
• Misconfigurations in wp-config.php
• Broken permalinks
• Incorrect file permissions
• Database access errors
• Disk space issues

Reason 1: Incorrect WordPress Site Address Settings

WordPress uses the WP_HOME and WP_SITEURL constants, also known as WordPress Address and Site Address, to identify the address of your website on the web. WP_HOME is used to configure the location of the WordPress installation, while WP_SITEURL represents the URL you need to type in the browser address bar to open your WordPress website.

Most of the time, both WordPress Address and Site Address store the same value. The two constants are auto loaded from the wp_options table of your WordPress database, where they are stored as siteurl and home. As both represent a Uniform Resource Locator, the correct protocol needs to be included.

WordPress Address and Site Address can be used to force HTTPS on your website which is often missed when trying to investigate competing redirects. If you have a valid SSL/TLS certificate installed on your website, make sure the HTTPS is configured for both siteurl and home in the wp_options table. An incorrect protocol specified can potentially lead to many issues, including the redirect loop error in WordPress.

How to Address

Check your WordPress address settings by opening the wp_options table from phpMyAdmin or running an SQL query from the command line. Home and siteurl options will have the IDs of 1 and 2.

You can modify your WordPress Address and Site Address settings by editing your wp-config.php file or the values in the wp_options table directly. You can also do it from the Settings tab of your WordPress Admin panel, but if you are unable to log in, you will need to use one of the two methods we mentioned.

Add the following lines to your wp-config.php file, where mywebsite.com is the domain name of your WordPress website, above /* That’s all, stop editing! Happy publishing. */. Please note that you will no longer be able to modify WordPress Address and Site Address from the admin panel. But as you gain access to your WordPress admin dashboard, you can remove the code below and edit the values from the General Settings menu instead.

Reason 2: Plugin Conflicts

WordPress plugins extend the native capabilities of WordPress, offering the additional functionality you need on your website. However, the more plugins you have activated, the more code needs to be loaded and executed, which almost inevitably leads to code incompatibility.

Plugin conflicts are one of the most common reasons why errors occur, including WordPress login redirect loops. If you check your website’s error logs, you may see something along the lines of “cannot modify header information – headers already sent by”. Most of the time, this message clearly points to a plugin conflict of some sort.

How to Address

Deactivate all plugins to see if it solves the WordPress login redirect loop issue. As you do not have access to the Admin panel, log in to the server via SSH or use the File manager interface to navigate to your website’s wp-content/plugins directory. Rename each plugin folder, which will temporarily deactivate all plugins.

Although it will work, renaming plugin directories is not recommended. Use WP-CLI (the command-line interface for WordPress) to deactivate all plugins at once with the command below. Then use the ‘activate’ option to reactivate your plugins in bulk or one by one.

You may also want to temporarily switch to the default WordPress theme. Use the WordPress command line interface too.

If you are able to log in to the WordPress admin dashboard after that, reactivate all plugins one by one to find the cause of the issue. You may notice that a certain plugin has recently been updated, so you may need to rollback the update to go back to the version that worked correctly. It is possible that the issue will be addressed in the next plugin release or there is a known fix that will allow you to keep using the plugin.

Solid Security Version Management allows you to configure auto-updates for WordPress core, plugins, and themes to leverage new features and stay protected from known vulnerabilities. Keeping WordPress up to date is extremely important and can save you tons of time dealing with various WordPress issues caused by outdated software.

Reason 3: Misconfigurations In wp-config.php

Your wp-config.php file is the main WordPress configuration file that stores the database login information and a number of other settings that your website can not work correctly without. If any key configurations are missing or there are any syntax errors, it can lead to various errors and cause a WordPress login redirect loop to appear.

How to Address

Open your website’s wp-config.php file and review its contents. Is all database information, including the database name, user, its password, and the address of the database server, added correctly? Do you see any lines that look unusual or seem out of place?

Another important aspect is WordPress salts and security keys that are often placed in the wp-config.php file right under the database information. As we discussed, those ensure your WordPress admin credentials are encrypted and stay secure as you log in to your WordPress dashboard. If security keys and salts are missing, it will almost certainly result in seeing a WordPress login redirect loop.

Use the official WordPress salts generator to update your security keys in wp-config.php. Solid Security Pro allows you to update your WordPress security keys and salts in just a few clicks without having to modify your WordPress configuration file manually.

Reason 4: Broken Permalinks

Permalinks are the unique URLs configured for all posts and pages on your WordPress website. Not only does broken permalink structure lead to seeing the 404 error while browsing your website, in some cases it can also lead to you being unable to log in to the WordPress admin dashboard.

How to Address

Examine the .htaccess file in your WordPress installation directory to make sure the default redirect rule is there. If the standard WordPress code is missing, open the file for editing and add the code snippet below.

# BEGIN WordPress
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Reason 5: Incorrect File Permissions

File permissions are one of the most important aspects of hosting. For your WordPress website to work without any issues, file permissions should be set correctly.

Permissions can vary from one hosting provider to another. The correct setup depends on what user owns your website files and what user the web server runs as. If permissions are set up incorrectly, especially in the wp-admin folder, it can lead to seeing a WordPress login redirect loop on your website.

How to Address

Be extremely careful with changing permissions. It is generally best to contact your hosting support team for assistance. WordPress files should not have permissions over 644. And most of the time you would want them to be at least 640, especially the wp-config.php file. Directories should never be set to 777.

Even the ability to read files can lead to exposing sensitive information from WordPress configuration files, such as your database connection information. The ability to write or alter your WordPress files could allow others to use your site to run malicious code, spread malware, or carry out network attacks.

Reason 6: Database Access Errors

Another reason for seeing a WordPress login redirect loop is WordPress experiencing issues writing to its database. As you log in to your WordPress dashboard, your session information needs to be saved to the wp_usermeta table. If WordPress is not able to add it to the database, it will redirect you back to the admin panel login page after an unsuccessful authentication attempt.

It can happen if the database user does not have sufficient privileges. Or the database connection information in wp-config.php is incorrect. Especially if your database user has read permissions, but is unable to write to the WordPress database.

How to Address

To troubleshoot WordPress database connection errors, follow the instructions provided in the Solid guide to fixing the “Error establishing a database connection” in WordPress.

Open your web hosting admin panel and navigate to the database management interface. Make sure that the database user specified in the wp-config.php file is correctly associated with the WordPress database. Also, be sure it has been granted all privileges.

Reason 7: Disk Space Issues

If your website goes over the disk quota, or even your server runs out of disk space, WordPress will not be able to write to its database. Just like in the case we discussed above, WordPress will keep redirecting you back to the login page until you have freed up some disk space or raised the quota.

How to Address

Always keep track of how much disk space you have available. If your WordPress website is close to reaching its disk quota, review its content to see if you can remove some old backups or other large files you no longer need. If you are on a VPS or dedicated server, simply raise the quota if you have enough free disk space. You may also consider getting a bigger server.

If backups are what constantly fills up all your disk space, consider storing them externally. It will help free up storage space and ensure data redundancy. Solid Backups is the industry-leading WordPress backup plugin protecting over a million websites worldwide.

Solid Backups is your WordPress backup expert that will make sure you always have multiple copies of your website stored safely at a remote location. Configure your backup schedule and choose where to send your backups, and Solid Backups will do the rest for you. One click restores, custom backups, and multiple remote locations to choose from. These are just a few of the ways Solid Backups can make your life as a website owner much easier.

How to Fix the WordPress Login Redirect Loop and Restore Access to the Admin Dashboard

Troubleshooting WordPress login redirect loops can vary dramatically depending on the source of the issue. As there are a myriad of possible reasons behind WordPress redirecting you back to the login page, there is really no universal solution that will fit every situation.

First of all, try clearing your browser cache and deleting cookies. If it helps, you can rest assured that there are no issues on the server-side. If it doesn’t help, it’s time to take a closer look.

Follow the steps below to fix the WordPress login redirect loop on your website:

• Check your website configuration
• Restore access to the WordPress admin dashboard
• Scan your WordPress website for malware

Step 1. Check Your Website Configuration

Start the troubleshooting process with checking your WordPress website configuration. It will include your wp-config.php and .htaccess files, your WordPress address settings, and file permissions. Do not forget to check if your WordPress website has not reached its disk quota. Also, check whether the correct database connection information is included in wp-config.php.

This way, you can rule out most possible issues before deactivating plugins and switching to the default WordPress theme. Once you check all these aspects, you should have a clear understanding of why WordPress refused to open the admin panel after you enter the correct credentials.

Please note that although you can check your WordPress website’s error logs, and sometimes it can be really helpful, it is possible that what you see will leave you even more confused. Or you will see nothing related to the possible cause of the WordPress login redirect loop on your website.

Step 2. Restore Access to the WordPress Admin Panel

Follow the instructions provided in the previous section of the guide to address the issue you have identified. If you have not noticed any misconfigurations, deactivate all plugins to see if a plugin conflict was the reason for seeing a WordPress login loop. Once you restore access to the WordPress admin panel, you will be able to address the issue permanently.

Malware infection

New suspicious files in the website’s document root directory, modified permissions, and malicious injections in WordPress core files and even .htaccess – all these signs mean that your website is hacked. A malware infection is essentially a combination of issues described in the previous section of the guide. An inability to access your WordPress admin dashboard is just the very least that malware can lead to.

Step 3. Scan Your Website for Malware and Signs of Unauthorized Access

Your WordPress admin dashboard allows you to access advanced security tools to scan your website for malware and investigate how the hacker managed to break in. Solid Security Pro and Solid Backups will help you recover from any malware infection and get your website up and running again in a matter of minutes.

Use the Solid Security Pro Site Scan to check the key areas of your website for security vulnerabilities. File Change Detection and File Permission Check will help you identify what the hacker has modified and how you can remedy the situation.

Do not forget to have all software, including the WordPress core, plugins, and themes, updated. Solid Security Version Management will help you configure auto updates to significantly reduce the attack surface.

Restoring from a backup might be the best solution, especially if you can determine when exactly the website got hacked. Choose a clean backup from the list of all website copies Solid Backups saved, and restore the website files to avoid having to perform the malware cleanup manually.

Wrapping Up

WordPress login redirect loops are often difficult to troubleshoot due to a large number of issues that can cause it. If WordPress refused to log you into the admin dashboard, it’s time to perform a full revision of your website and address all misconfigurations and security vulnerabilities.

Taking a mindful approach to WordPress website administration and security will help you prevent most errors and avoid malware infections. It includes regular updates, backups, and security monitoring.

Solid Security Pro and Solid Backups will be your team of security and data recovery experts while you focus on growing your online presence.