WordPress Login Issues: How to Fix WordPress Login Not Working
by
7-layers of Security for Your WordPress Site
Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.
You are at the WordPress login screen, you need the dashboard, and WordPress is not letting you in. The password may fail. The page may refresh after login. You may get into WordPress for a moment, then get pushed out before you can do anything useful.
That is when people usually start trying every fix they can find.
Slow down. A WordPress login issues are usually fixable, but random fixes can turn one problem into three. The trick is to identify the symptom, start with the safest checks, and only move into files, plugins, URLs, roles, or the database when the simpler fixes fail.
TL;DR: Start with the safe checks: confirm the login URL, try /wp-login.php, clear cookies and cache, use a private window, and reset the password. If that fails, check recent plugin, theme, 2FA, security, SSL, domain, or URL changes before touching the database; back up first, and scan the site if you see unknown admins, role changes, strange redirects, or repeated lockouts.
Start With The Symptom
The visible problem is simple: you cannot get into WordPress. The hidden problem is that login depends on cookies, browser sessions, the site URL, SSL, plugins, themes, user roles, email delivery, security rules, and sometimes the database.
Use the symptom to choose the first fix. Do not treat every lockout as the same problem.
| What you see | What it usually points to | Try first |
|---|---|---|
| Password is rejected | Wrong password, wrong user, changed email, compromised account | Use Lost your password and confirm the account email |
| Reset email never arrives | Mail delivery issue, wrong user email, inaccessible mailbox | Check spam, mailbox access, and another admin account |
| Login screen refreshes after you submit credentials | Cookies, cache, URL mismatch, SSL/domain change, plugin conflict | Clear cookies/cache, use private browsing, check site URLs |
| WordPress keeps logging you out | Cookie issue, domain mismatch, cache layer, security plugin, malware | Clear session data and check siteurl, home, and HTTPS settings |
| You can log in but cannot access wp-admin | Role/capability issue, critical error, server rule, file permissions | Ask another admin to check your role, then inspect errors |
| Login is temporarily disabled | Failed attempts, brute-force protection, security-plugin lockout | Stop retrying, wait, then review failed-login logs |
| Unknown redirects or changed admin roles | Possible compromise | Regain access carefully, scan the site, review users |
The table hides one important lesson: the fastest fix is not always the safest fix. A redirect can be a stale cookie. It can also be a bad URL setting or malware. The order is what keeps you from editing database rows when the real problem is your browser.
If you are fully locked out of WordPress, use that as your recovery path instead of repeating password resets and browser checks.
Before You Change Files Or The Database
File and database edits can restore access. They can also make the lockout harder to undo if you change the wrong thing.
Before you rename folders, edit wp-config.php, or update database values:
phpMyAdmin is not a badge of seriousness. It is an escalation path.
If you are on WordPress.com rather than self-hosted WordPress, some file-manager and database steps will not apply. Use your WordPress.com account recovery and support options instead.
Confirm The Login URL
Sometimes the problem is not the password. It is the route you are using to reach the login screen.
Try these:
https://example.com/wp-login.php
https://example.com/wp-admin/Replace example.com with your domain. If /wp-admin/ behaves oddly, go directly to /wp-login.php.
If your site uses a custom login URL, check whether the plugin or security setting behind it changed recently. A hidden login URL can reduce automated noise, but it is not real security by itself. If nobody documents it, the hiding place becomes the lockout.
Use /wp-login.php as the baseline. If that works, the problem is probably the custom login route, not your WordPress account.
Clear Cookies, Cache, And Browser State
WordPress needs cookies to keep you logged in. If the browser blocks them or stores stale session data, login can fail even when the password is right.
Start here:
On a current WordPress test site, the default login screen still has the familiar controls: Username or Email Address, Password, Remember Me, Log In, and Lost your password. That simple screen depends on the browser accepting the session cookie after login.
If you use a caching plugin, CDN, or host-level cache, clear those caches too. Browser cache is only one layer. A stale server or CDN redirect can keep the login flow broken after you have fixed the original setting.
Plain rule: if login refreshes, loops, or ends the session immediately, clear the session and cache layers before touching the database.
Reset Or Recover Your Password
If WordPress rejects the password, use the built-in reset flow first. It is safer than editing the database and it proves whether the account email still works.
Go to:
/wp-login.php?action=lostpasswordEnter the username or email for the account. WordPress should send a reset link to that user’s email address. On the current WordPress lost-password screen, the form asks for a username or email and shows a Get New Password button.
If the email does not arrive:
If the email account is gone or inaccessible, use your host’s tools or phpMyAdmin only after you have a backup. Make sure you are in the right database and editing the right user. Multisite installs, staging copies, and old migrations are where people quietly reset the wrong account.
After a database password reset, log in and set a new strong password inside WordPress. Treat the database change as a bridge back in, not your long-term password plan.
Check Recent Plugin, Theme, 2FA, And Security Changes
If the login issue started after an update, install, migration, or settings change, start with the thing that changed. WordPress does not usually break login out of pure creativity.
Plugins can affect login by changing redirects, cookies, custom login URLs, 2FA rules, cache behavior, or security settings. Disable the most likely suspect first.
Use FTP, SFTP, or your host file manager to rename that plugin’s folder inside:
wp-content/plugins/If you do not know which plugin caused the issue, temporarily rename the whole plugins folder. WordPress will treat the plugins as inactive. If login works, restore the folder name and reactivate plugins one by one until the problem returns.
That last part matters. Reactivating everything at once only proves that something is wrong, which is not a diagnosis.
For 2FA issues, check recovery codes, the authenticator app connection, device time sync, and whether another admin can reset your 2FA. Disable the plugin only if the normal recovery path fails.
For security plugins, be careful. A lockout may be bad configuration, but it may also be a real response to failed-login traffic. Disable the plugin only long enough to regain access and correct the setting.
If a theme update triggered the issue, switch to a default bundled WordPress theme. Do not leave WordPress without a usable theme. If wp-admin is unavailable, this may require host tools or a database-level change, so treat it as a later step.
Fix URL, SSL, Domain, And Redirect Mismatches
Login loops often happen when WordPress, the browser, and the server disagree about the site’s real address.
This is common after:
If you can access wp-admin, check WordPress Address and Site Address in General Settings. They should match the domain and protocol you actually use.
If wp-admin is unavailable, check the database values:
These usually live in the WordPress options table, though the table prefix may differ.
Also check wp-config.php for:
define('WP_HOME', 'https://example.com');
define('WP_SITEURL', 'https://example.com');Those constants can override database values. That means you can fix siteurl and home in the database and still have WordPress use the old hardcoded URL.
Cookie domain issues can show up the same way. If the site moved from www.example.com to example.com, or from HTTP to HTTPS, the browser may be holding a cookie that no longer matches the site WordPress thinks it is serving.
The practical rule is simple: make the domain and protocol agree everywhere, then clear browser, site, host, and CDN caches.
If the same redirect keeps sending you back to login, treat it as a WordPress login redirect loop and troubleshoot the URL, cookie, SSL, and redirect layers together.
Separate Login Failure From wp-admin Failure
Sometimes WordPress accepts your login, but you still cannot reach the dashboard.
That is not the same problem. Login proves WordPress knows who you are. wp-admin access depends on whether your user has the right role, whether admin pages are loading, and whether server rules allow access.
Check:
If another administrator can access the site, ask them to inspect your user role first. That is safer than editing the database.
If admin privileges changed unexpectedly, pause and treat it as a security signal. Review admin users, look for unfamiliar accounts, and check recent plugin or theme file changes.
Use debug logging only briefly if you need to investigate a critical error. Do not turn on public error display on a production site. A broken dashboard is bad enough without publishing stack traces to visitors.
Plain distinction: if WordPress accepts your login but blocks the dashboard, stop resetting the password. Look at roles, permissions, errors, and security rules.
If the specific problem is that you can’t access wp-admin after authentication, use a dashboard-access recovery path rather than another password reset.
Handle Temporary Login Lockouts Carefully
“Login temporarily disabled” usually means failed attempts are being limited.
That can happen because you typed the wrong password too many times. It can also happen because bots are hitting the login page and your security layer is trying to slow them down.
Do this:
If you caused the lockout, reset the password and move on. If automated attempts caused it, waiting is not a fix. You need login protection that can protect your login page from bots and brute-force attempts without locking out real users every time the site gets noisy.
MalCare’s bot protection and firewall fit that second case: repeated failed-login traffic, brute-force attempts, and lockouts that keep coming back.
When To Suspect Malware Or Compromise
Most WordPress login issues are not malware. Cookies, cache, wrong passwords, plugin conflicts, and URL mismatches are more common.
But some signs deserve a security check:
Malware can create redirects, add users, change roles, and interfere with access. Brute-force traffic can trigger lockouts even when the site is not compromised. Those are different problems, but both need attention.
After you regain access, scan your WordPress site for malware with MalCare if the symptoms point to compromise. If malware is found, clean it before you keep changing settings. Otherwise, you may fix the same redirect or user change again while the infection remains.
Then rotate passwords, remove unknown users, review administrator roles, update vulnerable plugins and themes, and add login protection.
The warning is not that every WordPress login issue is an attack. The warning is simpler: do not ignore security symptoms just because one browser fix worked once.
Prevent Future WordPress Login Issues
Once you are back in, spend ten minutes making the next lockout less likely. Future-you will be less annoyed.
Use this WordPress security maintenance checklist:
This is where MalCare makes sense as an ongoing layer: malware scanning, cleanup, firewall protection, bot protection, and monitoring are useful after the immediate login problem is solved. The goal is not to make login complicated. The goal is to stop bad traffic and suspicious changes from becoming your next access problem.
FAQs
Why is my WordPress login not working?
The most common causes are wrong credentials, stale cookies, browser cache, a plugin or theme conflict, a security or 2FA block, a URL/SSL mismatch, changed user roles, or malware. Start with URL, cookies, cache, private browsing, and password reset before editing files or the database.
Why does WordPress keep sending me back to the login screen?
This usually points to cookies, cache, URL mismatch, SSL/domain mismatch, a plugin conflict, or a redirect rule. Clear cookies and cache first, then check siteurl, home, WP_HOME, WP_SITEURL, HTTPS settings, and recently changed plugins.
How do I log in if I forgot my WordPress password?
Use /wp-login.php?action=lostpassword and enter your username or email. If the reset email is unavailable, ask another administrator or use your host’s database tools only after taking a backup.
How do I disable plugins if I cannot access wp-admin?
Use FTP, SFTP, or your host file manager to rename the suspect plugin folder inside wp-content/plugins/. If you do not know which plugin is responsible, rename the whole plugins folder temporarily, then restore it and reactivate plugins one by one.
Why does WordPress keep logging me out?
Repeated logouts often come from cookie problems, mixed HTTP/HTTPS settings, www versus non-www mismatch, cache layers, security plugins, or malware. Clear session data first, then check URL consistency across WordPress settings, wp-config.php, and the database.
What should I do if WordPress login is temporarily disabled?
Stop retrying and wait for the lockout window to expire. Then confirm the correct credentials and check security logs. If failed attempts are coming from bots, add login protection, bot protection, and a firewall instead of only waiting for the next lockout.
Can malware stop me from logging in to WordPress?
Yes, but it is not the most common cause. Suspect malware when you see unknown admin users, changed roles, strange redirects, disabled security plugins, unfamiliar files, or settings that revert after you fix them. Regain access carefully, scan the site, clean any infection, rotate passwords, and review admin users.
Category:
Share it:
You may also like
-
Fixing WordPress High CPU Usage: A Complete Guide!
Your host says your WordPress site is using too much CPU. The admin is crawling, checkout is timing out, the site throws 5xx errors, or it eventually leads to a…
-
WordPress Salts 101: Everything You Need to Know
You usually notice WordPress salts when you are already worried about WordPress security. You open wp-config.php, see a block of long random strings, and wonder if you should change them,…
-
How We Build WordPress Virtual Patches
At MalCare, we have built one of the most advanced WordPress virtual patching systems in the world. It protects sites in the risky gap between discovering a vulnerability and safely…
How can we help you?
If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.
My site is hacked – Help me clean it
Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.
Secure my WordPress Site from hackers
MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.
