Seeing ERR_TOO_MANY_REDIRECTS (or “the page isn’t redirecting properly”) means your site is stuck bouncing between URLs instead of loading the page. It’s common after SSL, CDN or plugin changes — and it hurts SEO, conversions and visitor trust. Here’s the calm, business-friendly way to diagnose and fix it.

What’s going on

A redirect loop happens when rules conflict — for example, one rule forces http → https while another forces https → http, or non-www ↔ www. Browsers give up and show an error. Loops can be created by WordPress settings, server rules (.htaccess / Nginx), plugins, or edge services like a web application firewall (WAF) or CDN.

How visitors see it

• Chrome/Edge: “This page isn’t working — redirected you too many times.”
• Firefox: “The page isn’t redirecting properly.”
• Safari: “Too many redirects.”

Why this matters to your business

• Lost enquiries & sales: Forms, carts and key pages fail to load.
• SEO impact: Crawlers struggle to index; rankings and visibility can drop.
• Support drain: More complaints and time spent firefighting.

Quick checks (safe and fast)

• Open the site in a private/incognito window or clear cookies — stale cookies can preserve a loop.
• Clear caches: browser, CDN/WAF and any application cache.
• If you use a WAF, temporarily disable “force HTTPS” in its dashboard and retest.

Find where the redirect comes from

You’re trying to locate the layer that issues the redirect: WordPress, the server, or the edge (CDN/WAF).

1. Check the first hop: curl -I http://example.com. Note the Location (target) and Server (who redirected you).
2. Bypass the edge: Send a request to your origin IP with the correct Host header to see if the server is redirecting:
   curl -I http://ORIGIN_IP -H "Host: example.com"
3. Test HTTPS correctly: Use SNI so you reach the right virtual host:
   curl -I https://example.com --resolve example.com:443:ORIGIN_IP

Common causes to check

• Conflicting rules: Mixed http/https and www/non-www redirects at different layers.
• CMS URLs: Wrong WordPress Home and Site URL (in settings or wp-config.php).
• Server config: Duplicate or clashing rules in .htaccess (Apache) or nginx.conf (Nginx).
• Plugins: SSL, redirect or caching plugins forcing their own rules.
• CDN/WAF policies: Edge-level HTTPS/redirect features contradict origin settings.

Fix the loop — step by step

1) Verify SSL at the origin

Make sure your server presents a valid certificate for your domain. If it does, you can safely run end-to-end HTTPS; if not, avoid forcing HTTPS at the origin until fixed.

2) If you use Sucuri WAF (edge in front of your site)

• Origin has SSL: In WAF HTTPS/SSL settings, set SSL Mode to Full HTTPS.
• No SSL at origin: Set SSL Mode to Partial HTTPS so the edge speaks HTTPS to visitors, but HTTP to origin.
• Clear WAF cache and retest in a private window.

3) If you use Cloudflare + Sucuri WAF

1. In Cloudflare SSL/TLS → Overview, set Encryption mode to Full (end-to-end).
2. Match Sucuri WAF SSL Mode to your origin status (Full if origin has SSL, Partial if not).
3. Purge caches (Cloudflare, WAF, browser, application) and retest.

4) Align WordPress and server rules

• WordPress URLs: In wp-config.php, ensure:
  define('WP_HOME', 'https://example.com');
define('WP_SITEURL', 'https://example.com');
  Use your preferred canonical (HTTPS + either www or non-www) and stick to it.
• .htaccess / Nginx: Keep one clean redirect to your canonical domain and remove duplicates. Avoid chaining multiple hops.
• Plugins: Temporarily disable SSL/redirect plugins while testing to prevent hidden rules.

5) Confirm it’s fixed

• Re-test with curl -I and your browser’s Network tab — you should see at most one redirect to the final URL.
• Purge all caches again so visitors and search engines see the corrected behaviour immediately.

Prevention and good practice

• Choose a single canonical: Decide on https://example.com or https://www.example.com and enforce it once — not at multiple layers.
• Stage changes first: Test SSL, WAF/CDN modes and redirect rules in staging before live.
• Keep software updated: Managed WordPress updates reduce conflicts and security risk.
• Security monitoring: Track redirect counts and 3xx/4xx/5xx trends to catch issues early.
• Backups: Maintain regular, off-site backups for fast rollback alongside malware protection and malware removal readiness.

How matm can help

• Managed WordPress, plugin & theme updates
• Security monitoring and WAF setup
• Regular backups & fast site recovery
• Malware removal and emergency response

Stuck in a redirect loop or nervous about breaking SEO? We’ll fix the issue and strengthen your WordPress security, calmly and quickly. Email [email protected] or call 01952 883 526.

Based on research by Sucuri — read the original analysis.