“Too many redirects,” also known as a redirect loop, is an error the browser will return if the requested web page fails to load due to an endless number of redirects it has to follow to retrieve any content from the server. Redirect loops can often be caused by conflicting redirects on the server side or a CDN misconfiguration.
In this comprehensive guide to fixing the “Too many redirects” error, you will learn where redirects can be configured, what the most common reasons behind redirect loops are and how to address them in a step-by-step manner.
What Are Redirects and How Do They Work?
Website redirects can be defined as the steps that need to be taken during the content delivery to find the location of the requested web page. While, for you, it might seem like the change achieved with a redirect rule only reflects how the website’s address is displayed in the address bar, your browser performs a series of operations behind the scenes to determine where each redirect leads before it can load any content from the final location defined by the redirection path.
Forcing HTTPS, the www version of a website, or loading another domain name — redirects are widely used in website hosting, allowing you to customize content delivery. There are multiple ways to set up domain redirects, and as long as they are configured correctly, browsers will not have any issues following the rules you have created.
Temporary and Permanent Redirects
There are two main types of redirects that can be configured — temporary and permanent. Depending on the type of redirect encountered, the web server will return either the 302 or the 301 HTTP status code.
A 302 HTTP response code shows you that a specific web address is temporarily redirected to another location. However, sometimes you can see that a temporary redirect is followed when you have removed a permanent redirect rule from your website, but haven’t flushed its cache, which prevented the changes from being visible.
This can happen if you are using a caching solution of any kind, including one of the WordPress caching plugins. Your browser will also store a cached version of any website you visit, which will include old redirects.
Permanent redirects return the 301 HTTP status code and indicate that your website or a certain page on it has been permanently moved, which, in case it is a redirect to HTTPS or the www version of the website, does not necessarily mean that its location on the file system has changed.
What Are The Most Common Redirects?
Redirects from the HTTP to HTTPS web protocol and from the non-www to the www version of the website are the two most common rules configured. Redirects to HTTPS ensure all web traffic is encrypted by using an SSL certificate, while redirects to www are often used to integrate a content delivery network with your website by using a CNAME record.
HTTP to HTTPS
A redirect from HTTP to HTTPS, often referred to as forcing HTTPS, can be configured to make sure no content is delivered to a website visitor over an insecure HTTP connection. If a valid SSL/TLS certificate is installed on your website, you typically do not need to force HTTPS manually, but adding such a redirect can be one of the ways of dealing with mixed content.
Mixed Content
Mixed content on the website can be defined as a situation when the base HTML file is loaded via HTTPS, but the other resources referenced, including images, Javascript or CSS files, are delivered to the visitor over HTTP. Even if you have a valid SSL certificate installed, browsers will still show a security warning if mixed content is identified on a web page.
Setting up a redirect to address the issue with mixed content is generally not the best solution. Instead, you should get all URLs (Uniform Resource Locators) in your website’s database updated to include the HTTPS protocol instead of HTTP. That can be done manually by using the search-replace feature WP CLI offers or a WordPress plugin. For other content management systems, you will need to modify the addresses by using a database administration tool like phpMyAdmin or running MySQL/MariaDB queries from the command line.
3 Main Locations Where Redirects Can Be Configured
Redirects can generally be configured in one of the three main locations:
- Web server configuration. Global configuration files used by a web server contain settings that are usually applied to all websites hosted, so adding redirects to one of them is not recommended. Using local configuration files created for each website individually is the standard for setting up redirects on the server-side.
- Content management system configuration. Your content management system stores your website’s address in the database as a constant, which can be used to force HTTPS or load the www version of it.
- Content delivery network configuration. Your CDN will force its own redirects that will define how exactly content is retrieved from the origin server and delivered to website visitors.
Redirects in Web Server Configuration Files
You can set up redirect rules locally in one of the configuration files that your web server will read. When Apache is used as the web server, redirect rules are usually set up in the website’s local .htaccess file. If NGINX is used, redirects are configured within the NGINX server block, which represents your website’s global configuration.
Below you can see two redirects that can be added to .htaccess — one forcing HTTPS, and the other sending all web requests to the www version of the website. Strict syntax rules need to be followed, or you risk getting your website down if Apache detects any syntax errors in one of the local configuration files.
If you use any redirect plugins for WordPress, they are most likely to write their redirects to your local .htaccess file too.
Redirects In WordPress Configuration
WordPress and other content management systems place the website’s address in the database, and the setting is loaded each time any content is requested. The address represents a URL which consists of a domain name and a web protocol, either HTTP or HTTPS. By changing the URLs in the database, you can redirect your website to www or force HTTPS if there is a SSL/TLS certificate installed.
WordPress uses the WP_HOME constant to identify the WordPress Address setting and WP_SITEURL as Site Address, which are stored in the wp_options table as siteurl and home. The WordPress Address setting refers to the location of the WordPress installation, while Site Address represents the URL you need to type in the browser address bar to open your website.
Redirects Forced By The CDN
Your content delivery network configuration defines how it can retrieve the requested web pages from the origin server and deliver them to your website visitors — over HTTP or HTTPS. The exact procedures are determined by the chosen encryption mode. There are three main encryption types offered by modern content delivery networks:
- Full, or end-to-end encryption. End-to-end encryption ensures HTTPS is used at all stages of content delivery. It means that all web requests from the browser to the CDN, and from the CDN to the origin server, are always sent over HTTPS. End-to-end encryption requires two SSL certificates — one installed on the origin server, and the other implemented by the CDN.
- Flexible, or partial encryption. Partial encryption forces all connections from the browser the CDN to go over HTTPS, while the CDN will connect to the origin server over HTTP. Your website, however, will still show as secure in all browsers.
- No encryption. With encryption disabled, content delivery will take place over HTTP, and all browsers will show a security warning loading your website.
If the CDN is trying to initiate a connection over HTTPS, but your web server redirects HTTPS requests to HTTP, a redirect loop is created, which results in seeing the too many redirects error on your website.
What Does The “Too Many Redirects” Error Mean?
“Too many redirects”, often referred to as a redirect loop, is an error message that indicates a conflict that occurs during content delivery caused by two competing redirects. When a redirect loop is is identified, modern browsers will return one of the following variations of the error:
- The page isn’t redirecting properly. You can see this error message in Firefox.
- The page isn’t working. ERR_TOO_MANY_REDIRECTS. Google Chrome will show this error once stuck in a redirect loop.
- Safari can not open the page because too many redirects occurred. This way, Safari will let you know what redirect conflicts need to be addressed before the website can be loaded.
To fix the too many redirects error, you will need to review the redirects configured in .htaccess and forced by the content management system, and check what encryption mode is used by the content delivery network if you have one used.
3 Most Common Misconfigurations That Cause A Redirect Loop On Your Website And How To Address Them
Going through all redirects to identify a conflict is not an easy task, especially if some are added to the web server’s global configuration, which makes them applied server-wide. However, there are some very frequently seen misconfigurations that inevitably lead to redirect loops.
The three most common reasons behind seeing “Too many redirects” on your website are:
- A valid SSL/TLS certificate is missing. A redirect loop can occur if your SSL certificate has expired or there are any other issues with it, but your website still tries to force HTTPS.
- The CMS website address settings are incorrect. If the protocol specified in the website address settings used by WordPress or another content management system conflicts with other redirects configured, it will cause the too many redirects error.
- The wrong CDN encryption mode is chosen. It is especially common to see redirect loops when switching to full encryption in the CDN configuration. If the requirements for using end-to-end encryption are not met by the origin server, it can result in issues.
A Valid SSL/TLS Certificate Is Missing
A valid CA-signed SSL/TLS certificate installed on the website ensures all web traffic is encrypted when delivered from the server to the browser. Moreover, HTTPS is likely forced on the server level, which works perfectly until your SSL certificate expires and does not get renewed automatically. It can happen for the following reasons:
- Automatic SSL/TLS certificate renewals are not enabled. If SSL has not been renewed automatically, you will have to order a new certificate and install it.
- SSL domain validation failed. Let’s encrypt or Sectigo, one of the most widely-used SSL providers that offer free certificates, implement different challenges to validate that you control the domain names a new certificate needs to be issued for. If domain validation fails, a new certificate won’t be installed until you address the issue that blocks the validation request.
- The root or one of the intermediate certificates has expired. When it happens, you will need to reinstall your certificate once the SSL provider addresses the issue on their side.
How to Address
Check whether your website has a valid certificate installed by using one an SSL checker. If it has expired or the SSL checker shows any other issues, reinstall the certificate. If Let’s Encrypt or Sectigo fail to issue a free certificate, you will need to check what might be blocking the validation request.
One of the reasons SSL domain validation fails is having a content delivery network integrated, especially if the last time Let’s Encrypt or Sectigo issued a certificate, you did not have it configured yet. If you need to install a new free SSL certificate, pause the CDN, so your website points to the server directly, returning its main IP address rather than the IP address that belongs to the content delivery network. This way, you can renew the certificate on the origin server to continue using end-to-end encryption.
The CMS Website Address Settings Are Incorrect
WordPress and all other content management systems can force redirects to HTTPS or www by storing the address of your website in the database and loading it each time any content is requested. If the site address settings are set up incorrectly — using the wrong protocol or domain name — it will cause issues, including seeing the too many redirects errors.
How to Address
If you have an SSL certificate installed, especially if end-to-end encryption is ensured by the CDN configuration, use HTTPS in both the WordPress Address and the Site Address settings. If you have your website redirected to the www version, both the WP_SITEURL and WP_HOME contestants need to reflect it.
Open the General Settings menu of your WordPress dashboard and correct the values assigned to WordPress Address and Site Address there needed. Click on the Save Changes to have WordPress modify the settings in the database.
The Wrong CDN Encryption Mode Is Chosen
There can’t be any conflicts between the redirects configured on the origin server and the encryption mode used by the CDN, or you will see the “Too many redirects” error trying to load your website in any browser. Make sure you choose the correct encryption mode that better suits the needs of your website.
As a content delivery network always encrypts traffic between its servers and the browser, unless you disable encryption entirely, you can choose not to have SSL installed on the origin server. Choose partial encryption and make sure you do not force HTTPS on the server level to avoid any issues accepting requests from the CDN over HTTP.
If end-to-end encryption is chosen, a valid SSL certificate should be installed on the origin server, so the CDN can connect over HTTPS. Unless you can install a new certificate manually, each time the SSL needs to be renewed, temporarily pause your CDN to avoid any issues with domain validation.
How to Address
Review your current setup and decide what encryption mode needs to be chosen. Switch to another encryption type to fix the “Too many redirects” error on your website that was caused by a conflicting redirect on your origin server or an absence of SSL on it required to support end-to-end encryption.
How To Fix The “Too Many Redirects” In 3 Steps
In the steps below, you will learn how to identify the conflicting redirects and quickly fix the redirect loop on your website.
Step 1. Check Your Website’s Redirection Path
Many sources advise clearing your browser cache as the first step to troubleshooting redirect loops. However, like with any other error, it will only work if the issue has been addressed on the server, but the browser still stores a broken version of your website in its cache. Typically, after making any changes to your website, you may want to flush its cache to see them reflected.
The first step to fixing “Too many redirects” is following your website’s redirection path to see where exactly the browser is getting stuck. The best way to do this is by using one of the redirect checkers.
All or most redirect checkers use cURL, a great command line tool for transferring data using various network protocols. We can use it to get the HTTP header information, which will show you what exactly happens once you attempt to load your website.
Save the following simple Bash script to a file named redirects.sh once you are connected to the server over SSH. Make it executable by running chmod +x redirects.sh.
Run the script by passing it to your website’s domain name. For example, ./redirects.sh wordpress.com.
Step 2. Identify The Conflicting Redirects
Examine the output you have got running the script above. It will tell you what kind of redirects cause “Too many redirects” to appear as the browser gives up on following the conflicting rules. In the output below, we can see that there is an infinite redirect from HTTP and HTTPS.
Note the return status codes of each redirect. Permanent redirects often come from the website’s .htaccess file, while temporary redirects are usually generated within the code of a website, so they are controlled by WordPress or the other content management system you use.
Step 3. Address the Redirect Loop
Depending on the conflicting redirect rules you have identified, you will know where to loop for them. As we discussed, there are three main things to check — your local .htaccess file, the website address settings stored in your website’s database by the CMS, and the encryption mode chosen in the CDN configuration.
If the redirect loop occurs while your website is trying to redirect between HTTP and HTTPS, check whether you have a valid SSL/TLS certificate installed and what encryption mode is chosen in your CDN configuration if you have any integration with your website. Check the Site Address and WordPress Address specified for your website and stored in the WordPress database.
Follow the instructions provided in the previous section of the guide to address common misconfigurations and fix “Too many redirects” on your website.
Conclusion
The “Too many redirects” error message, also known as a redirect loop, appears on your website when the browser has failed to load any content due to a large number of redirects that followed. To fix the redirect loop, you need to address the conflict that exists in the redirection path.
Running a business online is loaded with challenges, and spending hours setting up the server infrastructure and fixing errors is not always possible. Nor is it a good idea when having the right solutions can eliminate the need for hiring a dedicated team to keep your website running without any issues.
Protecting around a million WordPress websites, BackupBuddy and iThemes Security Pro are industry-leading solutions for application-level security and data recovery. Regular vulnerability checks and malware scans provided by the Site Scan feature allow you to significantly reduce the attack surface and protect your website from all known vulnerabilities. Automatic backups and easy one-click restores — BackupBuddy makes it possible to recover from all malicious attacks and common errors.
Get the bonus content: A Guide to WordPress Security
Kiki has a bachelor’s degree in information systems management and more than two years of experience in Linux and WordPress. She currently works as a security specialist for Liquid Web and Nexcess. Before that, Kiki was part of the Liquid Web Managed Hosting support team where she helped hundreds of WordPress website owners and learned what technical issues they often encounter. Her passion for writing allows her to share her knowledge and experience to help people. Apart from tech, Kiki enjoys learning about space and listening to true crime podcasts.
Keep reading the article at WordPress News | iThemes Blog. The article was originally written by Kiki Sheldon on 2022-09-27 09:27:11.
The article was hand-picked and curated for you by the Editorial Team of WP Archives.