To many redirects when trying to access wordpress dashboard



I am having issues since switching to Cloudflare, i can no longer log into my website wp-login.php i get the error (my domain) has redirected you to many times. All other parts of the website are fine just the logon page.

I have an SSL certificate installed on my host (go daddy) and i have the option Full (strict) set within my cloudflare control panel.

I have WP-rocket installed on my website with the cloudlfare addon and everything is configured correctly.

I have All in one WP-security too and i’ve also tried disabling that, but the problem still persists.

I have spent a good 4 hours looking into this before creating this thread. I have done the following to try and resolve the issue; purge the WP-rocket cache, purge the cloudflare cache. change the ssl setting within Cloudflare control panel to flexible, full, full -strict. i have tried disabling “always use https” and “https rewrites”. I have used chrome within incognito mode. i have checked my database within phpmyadmin WP options table to make sure https is set for option 1 and 2. I have tried white listing cloudflare ips within the .htacess file but i just get error 500 so i have to revert back.

I have noticed if i delete my .htaccess file i can get to the wp-login page, so i guess something within my .htaccess file is causing the issue, but i’m not sure what, please see below.

I have amended my domain to “mydomaindotuk” and IP address of host to and my home wan ip to for security purposes.

BEGIN WP Rocket v3.1.4

Use UTF-8 encoding for anything served text/plain or text/html

AddDefaultCharset UTF-8

Force UTF-8 for a number of file formats

AddCharset UTF-8 .atom .css .js .json .rss .vtt .xml

FileETag None is not enough for every server.

Header unset ETag

Since we’re sending far-future expires, we don’t need ETags for static content.

FileETag None

Header set X-Powered-By "WP Rocket/3.1.4" Header unset Pragma Header append Cache-Control "public" Header unset Last-Modified

<FilesMatch “.(css|htc|js|asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|tif|tiff|ttf|ttc|wav|wma|wri|xla|xls|xlsx|xlt|xlw|zip)$”>

Header unset Pragma
Header append Cache-Control “public”

Expires headers (for better cache control)

ExpiresActive on

Perhaps better to whitelist expires rules? Perhaps.

ExpiresDefault “access plus 1 month”

cache.appcache needs re-requests in FF 3.6 (thanks Remy ~Introducing HTML5)

ExpiresByType text/cache-manifest “access plus 0 seconds”

Your document html

ExpiresByType text/html “access plus 0 seconds”


ExpiresByType text/xml “access plus 0 seconds”
ExpiresByType application/xml “access plus 0 seconds”
ExpiresByType application/json “access plus 0 seconds”


ExpiresByType application/rss+xml “access plus 1 hour”
ExpiresByType application/atom+xml “access plus 1 hour”

Favicon (cannot be renamed)

ExpiresByType image/x-icon “access plus 1 week”

Media: images, video, audio

ExpiresByType image/gif “access plus 1 month”
ExpiresByType image/png “access plus 1 month”
ExpiresByType image/jpeg “access plus 1 month”
ExpiresByType video/ogg “access plus 1 month”
ExpiresByType audio/ogg “access plus 1 month”
ExpiresByType video/mp4 “access plus 1 month”
ExpiresByType video/webm “access plus 1 month”

HTC files (css3pie)

ExpiresByType text/x-component “access plus 1 month”


ExpiresByType application/x-font-ttf “access plus 1 month”
ExpiresByType font/opentype “access plus 1 month”
ExpiresByType application/x-font-woff “access plus 1 month”
ExpiresByType application/x-font-woff2 “access plus 1 month”
ExpiresByType image/svg+xml “access plus 1 month”
ExpiresByType application/ “access plus 1 month”

CSS and JavaScript

ExpiresByType text/css “access plus 1 year”
ExpiresByType application/javascript “access plus 1 year”

Gzip compression

# Active compression SetOutputFilter DEFLATE # Force deflate for mangled headers SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding # Don’t compress images and other uncompressible content SetEnvIfNoCase Request_URI \ \.(?:gif|jpe?g|png|rar|zip|exe|flv|mov|wma|mp3|avi|swf|mp?g|mp4|webm|webp|pdf)$ no-gzip dont-vary

Compress all output labeled with one of the following MIME-types

AddOutputFilterByType DEFLATE application/atom+xml \ application/javascript \ application/json \ application/rss+xml \ application/ \ application/x-font-ttf \ application/xhtml+xml \ application/xml \ font/opentype \ image/svg+xml \ image/x-icon \ text/css \ text/html \ text/plain \ text/x-component \ text/xml Header append Vary: Accept-Encoding

END WP Rocket

BEGIN All In One WP Security


Require all denied

<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all

Require all denied

<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all

Require all denied

<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all

<Files .htaccess>

Require all denied

<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all

ServerSignature Off
LimitRequestBody 10240000

Require all denied

<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all


RewriteEngine On
RewriteCond %{REQUEST_URI} ^(.)?wp-comments-post.php(.) RewriteCond %{HTTP_REFERER} !^http(s)?://(.*)?\.mydomain\ dotuk [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^
RewriteRule .* [L]

<FilesMatch “^(wp-login.php)”>
<IfModule !mod_authz_core.c>
Order Allow,Deny
Allow from www.mydomaindotuk
Allow from
Allow from

Require all denied
Require local
Require ip
Require host www.mydomaindotuk
Require ip


END All In One WP Security

BEGIN WordPress

RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPress


I have managed to fix it, thanks anyways.

Turned out to be an issue with All in one WP Security and WP-Rocket, after deleting .htaccess file using FTP client and logging back into my website’s control panel, i re-copied across the original .htaccess file from a backup i had, whilst i stayed logged into my website’s control panel. I then proceeded to deactivate WP-Rocket followed by All in one WP-Security plugins, I attempted to browse to my sites wp-login page, which then successfully appeared whilst using chrome in incognito mode. i re-enabled WP-Rocket followed by All in one WP-Security, the .htaccess file was re-written by the WP-Rocket, but not All in One WP-Security (not sure why even after re-enabling it and clicking yes to re-write the config) but it works anyway.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.