Redirect Loop (ERR_TOO_MANY_REDIRECTS): Causes & Fix
You open the site and Chrome just spins, then throws "This page isn't working - example.com redirected you too many times." Firefox calls it a redirect loop, Safari says "too many redirects." Different wording, same problem: your site is redirecting to itself in a circle, and the browser gives up after a few hops.
This is almost always caused by two systems disagreeing about whether a request should be HTTP or HTTPS - or by a redirect rule that points back at itself. Here's how to find the actual loop and break it.
What's Actually Happening
A redirect loop happens when Request A gets redirected to Request B, and Request B gets redirected back to something that looks like Request A again. Each hop looks fine on its own; it's the combination that's broken. The most common culprits, in order of how often we see them:
- Cloudflare (or another proxy/CDN) set to Flexible SSL while your origin server force-redirects HTTP to HTTPS
- A
.htaccessrule redirecting to HTTPS that runs behind a load balancer, so the server never sees the request as "already HTTPS" - WordPress's
siteurl/homevalues set to a different protocol or domain than what's actually being served - Two overlapping redirect sources - e.g., a caching/SSL plugin and a server-level rule, both trying to force HTTPS
- A stale browser cache holding on to an old redirect that no longer matches your current config
Step 1: Confirm It's a Real Loop, Not a Cache
Before touching config, rule out the browser. Open the URL in an incognito/private window, or run:
curl -IL https://example.comThe -I flag fetches headers only, -L follows redirects and prints each hop. If curl shows the same URL (or an HTTP↔HTTPS ping-pong) more than 2-3 times, you have a real loop on the server side, not a browser cache issue. If curl works fine but the browser still loops, clear the site's cookies and HSTS state, or test in a private window on a different network.
Fix 1: Cloudflare/Proxy SSL Mode Mismatch
This is the single most common cause we see on Getwebup-hosted sites that sit behind Cloudflare. Here's the failure chain:
- Visitor requests
http://example.com - Cloudflare, set to Flexible, forwards the request to your origin server over plain HTTP
- Your origin (via
.htaccess, a WordPress plugin, or cPanel's "Force HTTPS Redirect") sees HTTP and redirects to HTTPS - Cloudflare intercepts that HTTPS request, terminates SSL at its edge, and forwards to origin over HTTP again
- Origin sees HTTP again and redirects to HTTPS again - loop
The fix: In Cloudflare, go to SSL/TLS > Overview and set the mode to Full or Full (Strict) - never Flexible, once your origin has its own valid SSL certificate (cPanel's AutoSSL covers this for free). Full/Strict tells Cloudflare to talk to your origin over HTTPS too, so the origin never sees a plain-HTTP request to redirect in the first place.
Fix 2: .htaccess Redirect Rules Fighting Each Other
Open public_html/.htaccess via cPanel's File Manager and look for more than one HTTPS-forcing block. A clean, single rule looks like this, placed above the WordPress block:
# BEGIN Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# END Force HTTPSNotice the second RewriteCond checking X-Forwarded-Proto. If your site sits behind a proxy or load balancer, %{HTTPS} alone can stay stuck on "off" even for genuinely secure requests, because Apache only sees the proxy's internal HTTP connection. Without that second condition, you get an infinite redirect. If you find two or three separate HTTPS-redirect blocks stacked in the file (often left behind by different plugins over time), delete all but one.
Fix 3: WordPress siteurl/home Mismatch
If Settings > General in wp-admin shows http:// in either the WordPress Address or Site Address field while the rest of your setup forces HTTPS, WordPress itself will keep redirecting. Since you may not be able to reach wp-admin at all during a loop, fix it directly in the database via phpMyAdmin, or add this to wp-config.php above the "stop editing" line:
define('WP_HOME','https://example.com');
define('WP_SITEURL','https://example.com');Remove these two lines once the site loads normally and you've corrected the values in Settings > General - leaving hardcoded constants in place permanently makes future domain changes harder to track down.
Fix 4: Duplicate Force-HTTPS Sources
Check for overlap between:
- cPanel > Domains > "Force HTTPS Redirect" toggle
- An SSL/security plugin (Really Simple SSL, WP Force SSL, etc.)
- A caching plugin's own HTTPS setting
Any two of these active together can each add a redirect, and if one uses a relative URL while another uses an absolute one, they can bounce a request back and forth. Turn off the cPanel-level toggle if a plugin is already handling it, or vice versa - don't run both.
Fix 5: Deactivate Plugins via File Manager When wp-admin Is Unreachable
If the loop locks you out of wp-admin entirely, rename the plugins folder via File Manager or SSH:
mv wp-content/plugins wp-content/plugins-disabledThis disables every plugin at once, breaking the loop if a plugin is the cause. Recreate an empty plugins folder, then move plugins back one at a time (or check wp-content/plugins-disabled folder names against your active plugin list) to find the one responsible.
Prevention Checklist
| Setup | Do this |
|---|---|
| Behind Cloudflare | Keep SSL mode on Full or Full (Strict), never Flexible |
| Custom .htaccess rules | Keep exactly one HTTPS-redirect block; check X-Forwarded-Proto if behind a proxy |
| SSL/force-HTTPS plugins | Run only one at a time - plugin or server-level, not both |
| After domain or SSL changes | Clear browser HSTS cache and test in a private window before assuming it's broken |
Most redirect loops trace back to two things disagreeing about the protocol - fix that single disagreement and the loop stops immediately.
Frequently asked questions
Why does ERR_TOO_MANY_REDIRECTS only happen for some visitors?
It's usually an HSTS or browser-cache issue on their end combined with an inconsistent redirect setup on yours. Some visitors' browsers cached an old redirect chain that no longer matches your current SSL/proxy configuration, so clearing their cache resolves it even though the underlying misconfiguration still needs a real fix.
Does clearing cookies actually fix a redirect loop?
It can mask the symptom for that one visitor, but if the server-side cause (like a Cloudflare SSL mode mismatch or a duplicate .htaccess rule) isn't fixed, the loop returns for every new visitor and often for the same one again after HSTS re-caches.
How do I check for a redirect loop without a browser?
Run curl -IL https://example.com from a terminal. It prints each redirect hop with its status code and Location header, so you can see exactly where the loop starts and which URL it keeps bouncing between.
I use Cloudflare - what SSL mode should I actually use?
Use Full (Strict) if your origin has a valid SSL certificate, which cPanel's free AutoSSL provides by default. Flexible mode is the most common cause of redirect loops because it lets Cloudflare talk to your origin over plain HTTP while your origin insists on redirecting to HTTPS.
Can a CDN or caching plugin cause a redirect loop even without SSL involved?
Yes - a cached copy of an old redirect rule (for example, a www-to-non-www redirect that got reversed later) can serve a stale 301 to visitors long after you've changed the actual rule. Purge the CDN and page cache after any redirect-related config change.