Wordpress Login Just Refreshes Page

Since I installed Cloudflare I can’t login in my Wordpress admin panel.

When I enter my credentials the login page just refreshes.

When I set Development Mode in Cloudflare I can login without any problem.

How to fix this?

These are to less infos to work with.

Do you use HTTPS links in WP installation? If no, do you use CloudFlare with any SSL-Mode?
If so, which one? Maybe flexible?

What does the console say? Many redirects?

I’m using HTTPS, have my own SSL certificate on my host installed.

Set Cloudflare SSL to Full.

Console doesn’t say anything, just refresh the login page and can’t login.

Cant debug it from here, if you dont mind posting your link to the login you can do so and I will have a look


I see this error:

Failed to set referrer policy: The value '' is not one of 'no-referrer', 'no-referrer-when-downgrade', 'origin', 'origin-when-cross-origin', 'same-origin', 'strict-origin', 'strict-origin-when-cross-origin', or 'unsafe-url'. The referrer policy has been left unchanged.

Dont know exactly where this comes from.
Are there any erros in your server-log?

This has nothing to do with the problem as this error been there for ages, but never had any issues with login. They first started when I installed Cloudflare.

I have also W3TC plugin integrated with Cloudflare.

As I said when set Cloudflare to Development mode I can login normally with no problems.

Fixed the error you were seeing ( now it’s gone )

Here is a server log error:
[Mon May 11 04:37:16.283703 2020] [:error] [pid 13608:tid 47955225917184] [client] [client] ModSecurity: Warning. Pattern match “(\\.htaccess|.+\\.(pht|phtml|php\\d?)$)” at REQUEST_FILENAME. [file “/etc/apache2/conf.d/modsec_vendor_configs/imunify360-full-apache/004_i360_4_custom.conf”] [line “1180”] [id “77140992”] [msg “Suspicious access attempt (WP folders)!||SC:/home/public_html/mysite.com/wp-admin/admin.php||T:APACHE||MVN:REQUEST_FILENAME||MV:/wp-admin/admin.php||PC:503||”] [severity “NOTICE”] [tag “service_i360custom”] [tag “noshow”] [hostname “www.mysite.com”] [uri “/wp-admin/admin.php”] [unique_id “[email protected]”], referer: https://www.mysite.com/wp-admin/admin.php?page=w3tc_browsercache

Please deactivate the plugin “imunify 360” and test again with CloudFlare

Not sure if I can do that. I have requested it from my host though

It blocks the login, but this can have another cause:

the real IP if not hitting the origin Server as you get proxied through CloudFlare. You should turn on mod_cloudflare on your server to get the real IP from the visitor, this may fixed the problem

I have turned off Mod Security on my host to see how it goes

I think CloudFlare cached your login page and admin area. Did you disabled “wp-admin” and “wp-login.php” “Cache Level - ByPass” and “Disable Performance” rules in CloudFlare page rule. I faced similar issue and managed to fix it this way.

I have removed ModSecurity/Imunify360 from my host and now it’s ok.

Then please mark

As correct answer/solution, so others know what to do

This topic was automatically closed after 30 days. New replies are no longer allowed.