WordPress Login Redirect Loop caused by Cloudflare Flexible SSL

Q: Does this affect all WordPress sites on Cloudflare?

Only sites using the Flexible SSL setting. Sites using Full or Full (Strict) are typically unaffected by this specific redirect loop.

Q: Can plugins fix this issue?

No. This is a protocol-level issue occurring at the CDN and server level, so WordPress-side plugins cannot resolve the root cause.

Q: Should I use Full or Full (Strict)?

Full (Strict) is highly recommended for the best security and to ensure end-to-end encryption.

Exact Problem

A WordPress login redirect loop occurs only when Cloudflare Flexible SSL is enabled.

After entering correct WordPress admin credentials:

The login form accepts the username and password
No password or username error is shown
The browser redirects back to the login page instead of /wp-admin/
The redirect repeats indefinitely
Browsers may display ERR_TOO_MANY_REDIRECTS
Pausing or disabling Cloudflare immediately restores admin access

The WordPress site front end continues to load normally over HTTPS.

If you are seeing this behavior without Cloudflare enabled, follow the core troubleshooting guide instead: WordPress Login Redirect Loop After Successful Login (wp-admin Redirects Back).

Platform

WordPress (self-hosted)
Cloudflare CDN / Proxy enabled

In summary, if you encounter a WordPress login redirect loop Cloudflare Flexible SSL, it’s crucial to troubleshoot the issue by checking your SSL settings and Cloudflare configurations.

Transparency Note

This issue is not caused by WordPress core, plugins, or themes.

It is caused by how Cloudflare Flexible SSL handles HTTPS traffic, which creates a protocol mismatch between the browser, Cloudflare, and the WordPress server.

No assumptions are made about hosting providers beyond Cloudflare being active.

Short Explanation

Cloudflare Flexible SSL encrypts traffic only between the visitor and Cloudflare.
Traffic between Cloudflare and the WordPress server remains HTTP.

WordPress requires end-to-end protocol consistency to validate login cookies.
When WordPress detects HTTPS in the browser but receives HTTP internally, authentication cookies fail validation.
This results in a login redirect loop and may surface as ERR_TOO_MANY_REDIRECTS.

While Cloudflare Flexible SSL is active, WordPress-side fixes (plugins, configuration changes, or redirects) will not resolve this issue.

Why Cloudflare Flexible SSL Causes WordPress Login Redirect Loop

The visitor connects to Cloudflare over HTTPS
Cloudflare connects to the WordPress server over HTTP
WordPress receives mixed protocol information
Authentication cookies are created but rejected
WordPress repeatedly redirects the browser
The browser may show ERR_TOO_MANY_REDIRECTS

WordPress admin authentication requires HTTPS all the way to the origin server.

How to Confirm Cloudflare Is the Cause

You can confirm this safely without changing WordPress files.

If all of the following are true:

The redirect loop or ERR_TOO_MANY_REDIRECTS appears only when Cloudflare is enabled
Pausing Cloudflare immediately restores admin access
WordPress URLs are already set to HTTPS
Plugins and themes do not affect the issue

Then Cloudflare Flexible SSL is the cause.

Pausing Cloudflare is a diagnostic step to confirm the cause, not a permanent solution.

How to Fix the Cloudflare Flexible SSL Redirect Loop

Go to https://dash.cloudflare.com
Log in to your Cloudflare account
Select the affected domain

Step 2 – Open SSL/TLS Settings

Click SSL/TLS in the Cloudflare dashboard
Ensure you are on the Overview tab

Step 3 – Check the Current SSL Mode

If the SSL mode is set to Flexible, this is the direct cause of the redirect loop and
ERR_TOO_MANY_REDIRECTS.

Step 4 – Change the SSL Mode (Critical Step)

Change the SSL mode from Flexible to:

Full, or
Full (Strict) (recommended)

After changing the SSL mode, wait 30–60 seconds for Cloudflare to apply the update before testing login.

Step 5 – Confirm Your Hosting Server Has SSL

Confirm your hosting provider has an SSL certificate enabled
Most hosts provide free Let’s Encrypt SSL

Step 6 – Clear Cloudflare Cache

Go to Caching → Purge Cache
Click Purge Everything

Open a new browser tab
Visit /wp-login.php
Log in to WordPress

The admin dashboard should now load normally without redirect loops.

What Not to Do

Do not keep Flexible SSL enabled for WordPress
Do not force HTTPS using Cloudflare Page Rules
Do not add redirect rules before fixing SSL mode
Do not modify WordPress core files for this issue

How to Prevent This Issue

Always use Full or Full (Strict) SSL with WordPress
Ensure your hosting server has a valid SSL certificate
Avoid Flexible SSL for authenticated applications
Test /wp-admin/ after enabling Cloudflare

Frequently Asked Questions

Is ERR_TOO_MANY_REDIRECTS a WordPress bug?
No. It is a browser-level symptom of repeated redirects caused by mixed HTTP/HTTPS handling.

Does this affect all WordPress sites on Cloudflare?
Only sites using Flexible SSL.

Can plugins fix this issue?
No. This is a protocol-level issue outside WordPress.

Should I use Full or Full (Strict)?
Full (Strict) is recommended.

Summary

Cloudflare Flexible SSL can cause WordPress login redirect loops and ERR_TOO_MANY_REDIRECTS
The issue is caused by mixed HTTP/HTTPS handling
Switching to Full or Full (Strict) resolves the problem
No WordPress files need to be modified

Written by TechHelpTips Editorial Team
We publish clear, step-by-step guides for common website and WordPress issues, focusing on safe, non-destructive fixes that help restore normal site functionality without unnecessary changes.