WordPress OAuth fix

Fix WordPress plugin OAuth callback URLs.

WordPress OAuth plugins often generate callback URLs from the current site URL, wp-admin route, plugin slug, and proxy settings. A migration or domain change can leave the provider dashboard with the old callback.

When to use this fix

  • A WordPress plugin shows a provider callback URL to copy.
  • The site moved from staging, localhost, or HTTP to production HTTPS.
  • The provider error mentions redirect_uri_mismatch.
  • The callback path includes wp-admin/admin.php, admin-ajax.php, or a plugin-specific query parameter.

When not to use this fix

  • The provider redirects back successfully but WordPress cannot process the authorization code.
  • The failure is a WordPress REST API nonce or permission error.
  • The plugin is using a custom callback endpoint you intentionally overrode in code.
  • You are debugging SMTP or webhook callbacks, not OAuth authorization redirects.

Before and after provider setting

Before

Provider redirect URI:
http://staging.example.com/wp-admin/admin.php?page=plugin-oauth

Live plugin displays:
https://example.com/wp-admin/admin.php?page=plugin-oauth

After

Provider redirect URI:
https://example.com/wp-admin/admin.php?page=plugin-oauth

Live plugin sends:
https://example.com/wp-admin/admin.php?page=plugin-oauth

Pattern to verify in your environment.

WordPress-specific checks

  1. Open the plugin settings on the live site and copy the displayed callback URL.
  2. Confirm WordPress Address and Site Address use the canonical production URL.
  3. Check whether Cloudflare or a proxy makes WordPress generate HTTP internally.
  4. Confirm the provider dashboard field is a redirect/callback URI, not only an origin field.
  5. Clear plugin caches or re-save settings if the callback still shows the old domain.

Success looks like this

1. Provider accepts the authorization request.
2. Browser redirects back to the WordPress plugin callback.
3. Plugin receives an authorization code.
4. Any remaining error is now token exchange or provider permission, not redirect URI comparison.

Common false positives

  • A provider dashboard accepts multiple callbacks, but the plugin sends a different client ID than the one you edited.
  • The plugin callback shown in wp-admin changes after switching site URL, SSL, or multisite domain mapping.
  • The callback appears to work in an admin browser because an old session masks the real production URL.