/wp-admin redirects to home

Resolved gabbsmo
(@gabbsmo)

3 weeks, 2 days ago
We discovered that for some of our sites logging in with Microsoft was not possible.

Symptoms:

1. When opening /wp-admin the user is immidetly redirected to the home page (/ or /en/ with WPML)
2. Same when opening /login and clicking Sign in with Microsoft
3. The user never sees login.microsoftonline.com – so there are no errors in the Entra ID sign in logs

The above was tested with all other plugins disabled.

SSO configuration:
Idp: EntraID
Protocol: OIDC
Flow: Hybrid
Redirect URI: https://foobar/wp-admin/

wp-config.php: define( 'WPO_AUTH_SCENARIO', 'internet' );

We found that the sites with the issue was using version 42.2 of WPO365. After reverting to version 41.3 all sites started working again.

Debug log:

05-25-2026 14:52:16.237016
DEBUG
Wpo\Services\Ajax_Service::ajax_response -> Sending an AJAX response with status OK and message
05-25-2026 14:52:16.228554
DEBUG
Wpo\Services\Authentication_Service::skip_authentication -> Found [/admin-ajax.php] thus cancelling session validation for path /wp-admin/admin-ajax.php
05-25-2026 14:52:16.228544
DEBUG
Array ( [0] => /login/ [1] => admin-ajax.php [2] => wp-cron.php [3] => xmlrpc.php [4] => /wp-login.php [5] => /favicon.ico )
05-25-2026 14:52:16.228536
DEBUG
Wpo\Services\Authentication_Service::skip_authentication -> Pages Blacklist after error page / custom login has verified
05-25-2026 14:52:16.228506
DEBUG -> Wpo\Services\Authentication_Service::skip_authentication

05-25-2026 14:52:16.228465
DEBUG -> Wpo\Services\Authentication_Service::authenticate_request

05-25-2026 14:52:15.886680
DEBUG
Wpo\Services\Authentication_Service::authenticate_request -> User is a WordPress-only user so no authentication is required
05-25-2026 14:52:15.886664
DEBUG
Array ( [0] => /login/ [1] => admin-ajax.php [2] => wp-cron.php [3] => xmlrpc.php [4] => /wp-login.php [5] => /favicon.ico )
05-25-2026 14:52:15.886652
DEBUG
Wpo\Services\Authentication_Service::skip_authentication -> Pages Blacklist after error page / custom login has verified
05-25-2026 14:52:15.886612
DEBUG -> Wpo\Services\Authentication_Service::skip_authentication

05-25-2026 14:52:15.886538
DEBUG -> Wpo\Services\Authentication_Service::authenticate_request

05-25-2026 14:52:13.020830
DEBUG
Wpo\Services\Authentication_Service::authenticate_request -> User requesting /wp-admin/ is not logged in and therefore sending the user to Microsoft to sign in
05-25-2026 14:52:13.020796
DEBUG
Array ( [0] => /login/ [1] => admin-ajax.php [2] => wp-cron.php [3] => xmlrpc.php [4] => /wp-login.php [5] => /favicon.ico )
05-25-2026 14:52:13.020771
DEBUG
Wpo\Services\Authentication_Service::skip_authentication -> Pages Blacklist after error page / custom login has verified
05-25-2026 14:52:13.020288
DEBUG -> Wpo\Services\Authentication_Service::skip_authentication

05-25-2026 14:52:13.020229
DEBUG -> Wpo\Services\Authentication_Service::authenticate_request

05-25-2026 14:52:08.403318
DEBUG
Wpo\Services\Ajax_Service::ajax_response -> Sending an AJAX response with status OK and message
05-25-2026 14:52:08.393135
DEBUG
Wpo\Services\Authentication_Service::skip_authentication -> Found [/admin-ajax.php] thus cancelling session validation for path /wp-admin/admin-ajax.php
05-25-2026 14:52:08.393123
DEBUG
Array ( [0] => /login/ [1] => admin-ajax.php [2] => wp-cron.php [3] => xmlrpc.php [4] => /wp-login.php [5] => /favicon.ico )
05-25-2026 14:52:08.393114
DEBUG
Wpo\Services\Authentication_Service::skip_authentication -> Pages Blacklist after error page / custom login has verified
05-25-2026 14:52:08.393068
DEBUG -> Wpo\Services\Authentication_Service::skip_authentication

05-25-2026 14:52:08.393008
DEBUG -> Wpo\Services\Authentication_Service::authenticate_request

05-25-2026 14:52:08.314989
DEBUG
Wpo\Services\Ajax_Service::ajax_response -> Sending an AJAX response with status OK and message
05-25-2026 14:52:08.304217
DEBUG
Wpo\Services\Authentication_Service::skip_authentication -> Found [/admin-ajax.php] thus cancelling session validation for path /wp-admin/admin-ajax.php
05-25-2026 14:52:08.304206
DEBUG
Array ( [0] => /login/ [1] => admin-ajax.php [2] => wp-cron.php [3] => xmlrpc.php [4] => /wp-login.php [5] => /favicon.ico )
05-25-2026 14:52:08.304197
DEBUG
Wpo\Services\Authentication_Service::skip_authentication -> Pages Blacklist after error page / custom login has verified
05-25-2026 14:52:08.304155
DEBUG -> Wpo\Services\Authentication_Service::skip_authentication

05-25-2026 14:52:08.304105
DEBUG -> Wpo\Services\Authentication_Service::authenticate_request

05-25-2026 14:52:08.220697
DEBUG
Wpo\Services\Ajax_Service::ajax_response -> Sending an AJAX response with status OK and message
05-25-2026 14:52:08.204327
DEBUG
Wpo\Services\Authentication_Service::skip_authentication -> Found [/admin-ajax.php] thus cancelling session validation for path /wp-admin/admin-ajax.php
- This topic was modified 3 weeks, 2 days ago by gabbsmo.

Viewing 15 replies - 1 through 15 (of 18 total)

1 2 →

Simon Mista
(@simonmista)

3 weeks, 1 day ago

I have the same issue with versions 42.2 and 42.1. The “redirect to front page” error occurs when trying to access /wp-admin or when clicking “Sign in with Microsoft”. Instead of redirecting to Microsoft login, the site redirects back to the homepage. Because of this, I downgraded to version 42.0, and that version works correctly.

Please fix this issue ASAP @wpo365

Thanks, Simon

Plugin Author Marco van Wieren
(@wpo365)

3 weeks, 1 day ago

Hi @simonmista and @gabbsmo

You’re absolutely right. The last update ignored the custom authentication scenario WPO_AUTH_SCENARIO. I have just released version 43.3. This release should resolve this issue.

Thank you for making me aware of this and I am sorry for any inconvenience!

-Marco

Thread Starter gabbsmo
(@gabbsmo)

3 weeks, 1 day ago

Thank you for the swift fix. It works as expected now.

Thread Starter gabbsmo
(@gabbsmo)

3 weeks, 1 day ago

@wpo365 I may have been too quick. While it seemed to work on its own – it is not working when I reactivate WPML.

When I open a new tab with incognito mode and browse to /wp-admin I am redirected to /en/wpo/sso/start/ (/en/ is our language path in WPML).

Plugin Author Marco van Wieren
(@wpo365)

3 weeks, 1 day ago

Hi @gabbsmo

I am also looking at a different but similar issue. I guess the problem may be that the plugin is comparing the home URL + the custom sso-start endpoint (being wpo/sso/start). If WPML is also adding a rewrite rule, then things are getting a bit messy of course.

I will look into this issue now and let you know my findings and next step.

Thank you for your patience!

Plugin Author Marco van Wieren
(@wpo365)

3 weeks, 1 day ago

Hi @gabbsmo

I have just now released version 42.4. I reviewed the current detection and realized that are also other scenarios where the detection will fail. I have updated the detection to “must end with”, which should also be able to work-around the URL changed by WPML – for example when it adds /en/.

Thank you again for bringing this to my attention!

-Marco

Thread Starter gabbsmo
(@gabbsmo)

3 weeks ago

Hi @wpo365.

I just updated and in private browsing /wp-admin redirects to /sv/wpo/sso/start/?cb=6421d108-c591-43f9-8c2a-f0a70ba0893a for me now. I see your spinning animation but I never get to login.microsoftonline.com.

Clicking ‘Sign in with Microsoft’ on /login seems to work however.
Plugin Author Marco van Wieren
(@wpo365)

3 weeks ago
Hi @gabbsmo

Are you using the Teams integration? If you do not use the site in a Microsoft Teams App or Tab (or in an iframe), then please try and uncheck the option “Use client-side redirect” on the plugin’s “Login / logout” configuration page, clear all server caches and test again.

Hope this helps!
- This reply was modified 3 weeks ago by Marco van Wieren.
Thread Starter gabbsmo
(@gabbsmo)

2 weeks, 6 days ago

Hi @wpo365,

No, we are not using the Microsoft Teams integration. I disabled client side redirect and it seems to work on my end. I will let you know if I or our other users find any more issues.

Best regards
Simon Mista
(@simonmista)

2 weeks, 6 days ago
Hi @wpo365 ,

unfortunately this still isn’t working on my end. Opening /wp-admin redirects to the sso/start endpoint but never reaches login.microsoftonline.com – it just stays on the spinner.

Example URL: https://www.depak.de/wp/wp-admin/
→ redirects to https://www.depak.de/wpo/sso/start (and stops there)

I have these two plugins:
- WPO365 | LOGIN – version 42.4
- WPO365 | LOGIN PLUS – version 42.1
Quick Update: version 42.3 worked fine before

Thanks,
Simon
- This reply was modified 2 weeks, 6 days ago by Simon Mista.
Plugin Author Marco van Wieren
(@wpo365)

2 weeks, 6 days ago

Thank you @gabbsmo for confirming that it works when you disable the use of the client-side redirect. When you don’t need Teams or iframe support, then you’re anyway better of with it. The plugin’s Self-test would have also highlighted this. I will – however – look into re-enabling support for the combination of defining WPO_AUTH_SCENARIO in a wp-config.php and client-side redirection.

Again, thanks and let me know if anything comes up!

Plugin Author Marco van Wieren
(@wpo365)

2 weeks, 6 days ago

Hi @simonmista

I checked the URL that you posted and noticed that I indeed land at the wpo/sso/start?cb=… and that indicates that you didn’t yet disable the option “Use client-side redirect” on the plugin’s “Login / logout” configuration page or that you need to clear all server caches. Please ensure that this specific option is disabled (when you’re not embedding the WordPress site in Teams or an iframe), clear all server caches and test again.

Hope that helps!
Plugin Author Marco van Wieren
(@wpo365)

2 weeks, 6 days ago
Hi @gabbsmo and @simonmista

For the sake of clarity, I would like the add the following. When you add the following line to your wp-config.php define( ‘WPO_AUTH_SCENARIO’, ‘internet’ ); then the plugin will try and bail out as soon as a request is not for your WP admin. Version 42.4 fixes this, but the combination with “Use client-side redirect” on the plugin’s “Login / logout” configuration page (causing the user to be redirected to Microsoft using a small JavaScript instead of being redirected by the server) has been overlooked. And as a result – if “Use client-side redirect” is enabled, a user is not redirected to Microsoft but instead ends up at https://<your website>/wpo/sso/start?cb=xyz. To fix this, there are actually 2 options:
- Leave “Use client-side redirect” checked, but instead check the option “Use admin URL to initiate authentication” on the plugin’s “Miscellaneous” configuration page. This is the recommended solution when you need client-side redirection, for example because your website is embedded in Teams or an iframe.
- Uncheck the “Use client-side redirect” option on the plugin’s “Login / logout” configuration page.
Hope this helps you and others alike!

-Marco
Plugin Author Marco van Wieren
(@wpo365)

2 weeks, 6 days ago

Hi

I just released version 42.5. This version fixes the issue created by the combined options of define( ‘WPO_AUTH_SCENARIO’, ‘internet’ ); and Use client-side redirect enabled.

Hope this helps!

-Marco
Zachary Watkins
(@zwatkinstamu)

2 weeks, 6 days ago
Our site is still experiencing issues with link redirects on version 42.5. Users visiting a non-home page while not logged in are redirected to the home page after logging in, instead of being directed to the non-home page they were attempting to visit.

We do not have any WPO_* constants defined and I have “Always send user to default / custom landing page” unchecked.
- This reply was modified 2 weeks, 6 days ago by Zachary Watkins.
- This reply was modified 2 weeks, 6 days ago by Zachary Watkins.

Viewing 15 replies - 1 through 15 (of 18 total)

1 2 →

You must be logged in to reply to this topic.