Every week, thousands of website owners enable Cloudflare for the first time, expecting faster load times and better security. Instead, they are greeted by a white screen and the message: "This page isn't working — ERR_TOO_MANY_REDIRECTS." The site is completely inaccessible. Visitors see nothing. The admin panel is unreachable. Panic sets in.
In this comprehensive guide, we will explain exactly what causes this redirect loop, walk through the fix step by step, cover WordPress-specific solutions, address Nginx and Apache configurations, and show you how to prevent this from ever happening again.
What Causes the Redirect Loop?
The root cause is a mismatch between Cloudflare's SSL mode and your origin server's HTTPS configuration. Specifically, when Cloudflare is set to Flexible SSL mode while your origin server forces HTTPS redirects, an infinite loop is created.
Here is exactly what happens, request by request:
requests HTTPS
terminates SSL
receives HTTP!
to HTTPS
terminates SSL
receives HTTP!
Let us visualize the connection between each hop to make this crystal clear:
(Flexible Mode)
Unencrypted!
Forces HTTPS → 301
The browser sees a padlock icon because the connection to Cloudflare is encrypted. But the connection from Cloudflare to your server is plain HTTP. Your server rightfully tries to enforce HTTPS, but Cloudflare keeps downgrading it back to HTTP. Neither side will back down, and the visitor is caught in the middle.
The Fix: Change Your Cloudflare SSL Mode
The solution is straightforward: change your Cloudflare SSL/TLS encryption mode from Flexible to Full or Full (Strict). This tells Cloudflare to connect to your origin server over HTTPS instead of HTTP, breaking the redirect loop.
Go to dash.cloudflare.com and sign in with your account credentials. You will see a list of all domains managed by your Cloudflare account.
Click on the domain that is experiencing the redirect loop. This will take you to the domain's overview page where you can see traffic analytics and quick actions.
In the left sidebar, click on SSL/TLS, then click Overview. You will see the current encryption mode displayed prominently at the top of the page.
Select Full (Strict) from the available options. This requires a valid SSL certificate on your origin server (a free Let's Encrypt certificate works perfectly). If you do not have an origin certificate yet, select Full as a temporary measure.
Understanding All Four SSL Modes
To make an informed decision, here is a comparison of all available Cloudflare SSL encryption modes:
| SSL Mode | Browser ↔ CF | CF ↔ Origin | Origin Cert Required? | Redirect Loop Risk | Security Level |
|---|---|---|---|---|---|
| Off | HTTP | HTTP | No | None | None |
| Flexible | HTTPS | HTTP | No | High | Weak |
| Full | HTTPS | HTTPS | Any (self-signed OK) | None | Medium |
| Full (Strict) | HTTPS | HTTPS | Valid (CA-signed) | None | Strong |
WordPress-Specific Fixes
WordPress sites are particularly prone to redirect loops because WordPress has its own URL settings and plugins that can conflict with Cloudflare. If changing the SSL mode alone does not resolve the issue, try these additional fixes.
Fix 1: Update wp-config.php
Add the following lines to your wp-config.php file, before the line that says "That's all, stop editing!":
// Fix for Cloudflare Flexible SSL (temporary workaround)
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
$_SERVER['HTTPS'] = 'on';
}
// Force correct site URLs
define('WP_HOME', 'https://yourdomain.com');
define('WP_SITEURL', 'https://yourdomain.com');
HTTP_X_FORWARDED_PROTO snippet is a workaround, not a proper fix. It tells WordPress to trust Cloudflare's header indicating the original request was HTTPS. The real fix is to use Full (Strict) SSL mode so your origin actually receives HTTPS connections.
Fix 2: Check WordPress URL Settings
If you can access your WordPress admin panel (try adding ?nowprocket or clearing cookies), go to Settings → General and ensure both the WordPress Address (URL) and Site Address (URL) start with https://. Mismatched protocols here are a common cause of redirect loops.
Fix 3: Deactivate SSL/Redirect Plugins
Plugins like Really Simple SSL, WP Force SSL, or Easy HTTPS Redirection can conflict with Cloudflare's own redirect handling. If you are using Full (Strict) SSL mode, these plugins are unnecessary because both Cloudflare and your server already handle HTTPS. Try deactivating them via SFTP by renaming the plugin folder:
# Rename the plugin folder to deactivate it
mv wp-content/plugins/really-simple-ssl wp-content/plugins/really-simple-ssl.bakFix 4: Clean .htaccess (Apache)
If your WordPress site runs on Apache, check the .htaccess file in the root directory for duplicate or conflicting redirect rules. A clean WordPress .htaccess should contain only the standard rewrite rules:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPressRemove any additional RewriteRule entries that force HTTPS redirects. With Cloudflare Full (Strict) mode, HTTPS is already enforced at the edge and the origin receives genuine HTTPS connections.
Nginx Configuration Fix
If your origin server uses Nginx and has a server block that redirects HTTP to HTTPS, this will conflict with Cloudflare's Flexible mode. Here is the typical problematic configuration:
# This CAUSES the redirect loop with Cloudflare Flexible mode:
server {
listen 80;
server_name yourdomain.com;
return 301 https://$host$request_uri; # <-- The culprit
}
The proper fix is to switch Cloudflare to Full (Strict) and keep your Nginx redirect as-is. However, if you must use Flexible mode temporarily, you can modify Nginx to check the Cloudflare header:
# Conditional redirect (only if NOT coming from Cloudflare):
server {
listen 80;
server_name yourdomain.com;
# Check if request is already HTTPS at the edge
set $redirect_to_https 0;
if ($http_x_forwarded_proto != "https") {
set $redirect_to_https 1;
}
if ($redirect_to_https) {
return 301 https://$host$request_uri;
}
# ... rest of your config
}
Additional Troubleshooting
Cloudflare Page Rules
Check your Cloudflare Page Rules for any conflicting "Always Use HTTPS" or "Forwarding URL" rules that might be creating additional redirects. Go to Rules → Page Rules in the Cloudflare dashboard and review each rule. Multiple rules that match the same URL pattern can cause unexpected behavior.
Browser Cache
Browsers aggressively cache 301 (permanent) redirects. After fixing the Cloudflare SSL mode, you may still see the redirect error because your browser cached the old redirect. Try these steps:
Press Ctrl+Shift+Delete (Windows/Linux) or Cmd+Shift+Delete (Mac) to open the cache clearing dialog. Select "Cached images and files" and clear.
Open an incognito/private window (Ctrl+Shift+N) and navigate to your site. If it works in incognito but not in a regular window, the issue is cached redirects.
Mixed Content Issues
After fixing the redirect loop, you might encounter mixed content warnings. This happens when your HTML loads over HTTPS but references HTTP resources (images, scripts, stylesheets). Enable Automatic HTTPS Rewrites in the Cloudflare dashboard under SSL/TLS → Edge Certificates to automatically fix most mixed content issues.
Solving This with Panelica
Here is what Panelica does differently:
Every domain added to Panelica automatically receives a free Let's Encrypt certificate. No manual configuration, no expiration worries — certificates auto-renew 30 days before expiry.
When connecting a domain to Cloudflare via Panelica, the SSL mode is set to Full (Strict) automatically. The panel also enables Always Use HTTPS and Automatic HTTPS Rewrites.
Panelica's Cloudflare tab lets you manage DNS records, SSL mode, cache settings, and security rules from a single interface — no need to switch between panels.
Origin server Nginx configurations are generated with proper SSL settings, eliminating the possibility of HTTP/HTTPS conflicts at the origin level.
Prevention Checklist
Use this checklist to ensure you never encounter the redirect loop again:
- Cloudflare SSL/TLS mode is set to Full (Strict)
- A valid SSL certificate (Let's Encrypt or Cloudflare Origin CA) is installed on the origin server
- WordPress Site URL and Home URL both use
https:// - No conflicting SSL plugins are active (Really Simple SSL, WP Force SSL, etc.)
- Cloudflare "Always Use HTTPS" is enabled under Edge Certificates
- Cloudflare "Automatic HTTPS Rewrites" is enabled to fix mixed content
- No Page Rules create conflicting redirects for the same URL pattern
- .htaccess or Nginx config does not have duplicate HTTPS redirect rules
- Browser cache has been cleared after making changes
- DNS is properly proxied through Cloudflare (orange cloud icon)
Quick Reference: Error to Fix
| Symptom | Likely Cause | Fix |
|---|---|---|
| ERR_TOO_MANY_REDIRECTS | Flexible SSL + origin HTTPS redirect | Change to Full (Strict) |
| Redirect loop only on certain pages | Conflicting Page Rules | Review and fix Page Rules |
| Loop after installing SSL plugin | Plugin conflicts with Cloudflare | Deactivate the plugin |
| Loop on WordPress admin only | wp-config.php URL mismatch | Set WP_HOME and WP_SITEURL |
| Works in incognito, not in regular | Cached 301 redirect | Clear browser cache |
| Loop started after DNS change | New proxy enabled Flexible mode | Set SSL to Full (Strict) |
Conclusion
The ERR_TOO_MANY_REDIRECTS error with Cloudflare is almost always caused by one thing: the SSL encryption mode is set to Flexible while the origin server enforces HTTPS. The fix is simple — change the mode to Full (Strict) and ensure a valid SSL certificate is installed on your origin server.
For WordPress sites, also verify that your site URLs are set to HTTPS and that no conflicting SSL plugins are interfering with Cloudflare's SSL handling. For Nginx or Apache servers, ensure your HTTPS redirect rules are compatible with Cloudflare's proxy behavior.
The best way to avoid this issue altogether is to use a server management panel like Panelica that automatically configures SSL certificates and sets optimal Cloudflare defaults. With the right configuration from the start, you will never see this error again.