You enter your credentials, click log in, and… the page refreshes back to the login form. No error, no message, just a loop. This is the dreaded WordPress login redirect loop. At CODE TOT, we’ve encountered this most frequently on sites that have recently scaled with a load balancer or a caching layer like Varnish or Nginx FastCGI Cache.

Professional Insight: If your site just added an SSL certificate and you’re seeing this loop, it’s likely because your server is “stripping” the HTTPS information before it reaches WordPress. This creates a “Mixed Content” redirect cycle that blocks the login session.

1. The .htaccess Rule Check (Apache Users)

If you’re on a standard Apache server, your .htaccess might have a redirect that’s too aggressive. Ensure your HTTPS redirect rule explicitly excludes the wp-login.php and admin-ajax.php pages if you’re experiencing loops. A standard, safe HTTPS redirect looks like this:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

2. Hardcoding the Site URLs

If you can’t access the dashboard to check your settings, you must override them in wp-config.php. This is the most reliable way to break a redirect loop caused by a database mismatch:

define( 'WP_HOME', 'https://your-site.com' );
define( 'WP_SITEURL', 'https://your-site.com' );
# Ensure protocols match exactly!

3. The Caching Culprit: Nginx & Cloudflare

If you use Cloudflare with “Flexible SSL,” your server sees traffic as HTTP while Cloudflare sees it as HTTPS. This is the #1 cause of redirect loops. You should either switch to “Full (Strict) SSL” or add this “Proxy Forward” code to your wp-config.php to tell WordPress the site is indeed running over HTTPS:

if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) {
    $_SERVER['HTTPS'] = 'on';
}

4. Clear All Caches via CLI

Stale page caches or object caches (Redis/Memcached) can store old redirect headers. Use WP-CLI to flush everything from the command line:

# Flush the object cache
wp cache flush
# If you use a specific plugin like WP Rocket, clear it too:
wp rocket clean --confirm

Conclusion

The login loop is a communication breakdown between your server, your database, and your browser’s cookies. By following these steps—especially checking your SSL proxy settings—you can resolve the loop in minutes. If you’re stuck on a complex server setup, our Architectural Consulting can help optimize your stack.