Fixes a false-positive Cloudflare warning for operators who route wp-admin through a private proxy or hostname that bypasses Cloudflare. The plugin now probes the public front-end to determine the real Cloudflare state instead of inferring from the admin request. Recommended for anyone seeing a "not behind Cloudflare" warning despite their site clearly being proxied.<\/p>","2.5.5":"
Fixes a long-standing bug where the Bypass Cookies setting on the main settings page would reject every value as invalid and silently clear the stored list. Recommended for any site using bypass cookies for membership\/login integration.<\/p>","2.5.4":"
New Exempt Paths feature lets you keep your homepage, privacy policy, and registration pages accessible to all visitors while gating the rest of the site. New admin diagnostic catches Cloudflare misconfigurations that previously failed silently. Documentation also expanded on Cloudflare\/DNS prerequisites. Recommended for all users.<\/p>","2.5.3":"
MU plugin now auto-installs and self-heals. Fixes a class of silent failures affecting sites that upgraded from very old plugin versions where country-wide region rules could fail without warning. Recommended for all users, especially those who have been using the plugin since before 2.3.0.<\/p>","2.5.2":"
Readme overhaul plus a fix for a 404 error when editing country-wide regions in the admin. Recommended for all users with country-level regions configured.<\/p>","2.5.1":"
Adds credit pack purchasing via PayPal with a 300-credit bonus on first purchase. Recommended for sites needing more than 100 verifications per month.<\/p>","2.5.0":"
Interstitial consent gate eliminates passive bot session creation. Visitor IP now passed to API for per-IP rate limiting. Recommended for all users, especially high-traffic sites.<\/p>","2.4.2":"
MU plugin cookie handling optimization and improved phpcs annotations.<\/p>","2.4.1":"
Security and compliance improvements for WordPress.org review. Free Plan Admin now uses WP REST API. MU plugin redirect URLs are HMAC-verified. Recommended for all users.<\/p>","2.3.0":"
New free plan with 100 monthly credits, built-in region management, configurable fail behavior, and detailed verification history. Recommended for all users.<\/p>","2.2.0":"
Security improvements including signed cookies, test mode, and setup checklist. Recommended for all users.<\/p>","2.1.0":"
Critical security fix \u2014 removes region parameter override vulnerability. Update immediately.<\/p>"},"ratings":{"1":0,"2":0,"3":0,"4":0,"5":1},"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3482278,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3482278,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-772x250.png":{"filename":"banner-772x250.png","revision":3482278,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["2.4.2","2.5.0","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.5.6"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3482278,"resolution":"1","location":"assets","locale":"","width":765,"height":360},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3482278,"resolution":"2","location":"assets","locale":"","width":921,"height":766},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3482278,"resolution":"3","location":"assets","locale":"","width":1294,"height":512},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3482278,"resolution":"4","location":"assets","locale":"","width":1306,"height":1183},"screenshot-5.png":{"filename":"screenshot-5.png","revision":3482278,"resolution":"5","location":"assets","locale":"","width":704,"height":357},"screenshot-6.png":{"filename":"screenshot-6.png","revision":3482278,"resolution":"6","location":"assets","locale":"","width":775,"height":1250}},"screenshots":{"1":"Settings page with setup checklist and API health check","2":"Age verification page with QR code and verification options","3":"Region management with minimum age configuration","4":"Exempt Paths tab \u2014 configure URLs that bypass the age gate","5":"Recent verifications with detailed attempt history","6":"Plan status showing credit usage and remaining balance","7":"Test mode in action \u2014 simulating a region with ?reg= parameter"}},"plugin_section":[],"plugin_tags":[139798,70877,41695,5616,5617],"plugin_category":[],"plugin_contributors":[257723],"plugin_business_model":[],"class_list":["post-286954","plugin","type-plugin","status-publish","hentry","plugin_tags-adults-only","plugin_tags-age-gate","plugin_tags-age-restriction","plugin_tags-age-verification","plugin_tags-age-verify","plugin_contributors-xyzageverify","plugin_committers-xyzageverify"],"banners":{"banner":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/banner-772x250.png?rev=3482278","banner_2x":false,"banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/icon-128x128.png?rev=3482278","icon_2x":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/icon-256x256.png?rev=3482278","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/screenshot-1.png?rev=3482278","caption":"Settings page with setup checklist and API health check"},{"src":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/screenshot-2.png?rev=3482278","caption":"Age verification page with QR code and verification options"},{"src":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/screenshot-3.png?rev=3482278","caption":"Region management with minimum age configuration"},{"src":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/screenshot-4.png?rev=3482278","caption":"Exempt Paths tab \u2014 configure URLs that bypass the age gate"},{"src":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/screenshot-5.png?rev=3482278","caption":"Recent verifications with detailed attempt history"},{"src":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/screenshot-6.png?rev=3482278","caption":"Plan status showing credit usage and remaining balance"}],"raw_content":"\n
Most WordPress age verification plugins are age gates<\/strong> \u2014 a popup that asks visitors to click \"Yes, I'm 18+\" or pick a birthday from a dropdown. Anyone, including a minor, can click through in under a second. That used to be the standard. It is no longer a defensible compliance measure under the UK Online Safety Act, US state age verification laws (Texas, Louisiana, Virginia, and a growing list), or EU age assurance requirements under the Digital Services Act.<\/p>\n\n XYZ Age Verification is different. It confirms visitors are adults using a real-time selfie liveness check, with automatic escalation to government ID verification for borderline cases or stricter age thresholds. No biometric data is stored.<\/strong> No checkbox to lie to. No date-of-birth dropdown that a child can spin in five seconds.<\/p>\n\n When you need this plugin:<\/strong><\/p>\n\n Important \u2014 Cloudflare is required:<\/strong><\/p>\n\n This plugin requires that your site is proxied through Cloudflare's network<\/strong>. This is not an optional integration. Without Cloudflare, the plugin cannot determine where visitors are connecting from, and it will not work.<\/p>\n\n Setting up Cloudflare involves changing your domain's DNS settings to point at Cloudflare's nameservers. This is a real infrastructure change with real consequences:<\/p>\n\n If you do not have experience with DNS migration, or if your site's email and DNS are managed by someone else, please read these guides before installing the plugin:<\/p>\n\n This plugin is not a fit for site owners who are not prepared to manage their own DNS.<\/strong> If your site is hosted on a fully-managed platform where DNS is controlled by the host, or if the prospect of changing nameservers is unfamiliar, consider hiring help for the Cloudflare migration before installing. Alternatively, simpler self-declaration age gate plugins may better match your operational comfort level \u2014 they are not real verification, but they also do not require infrastructure changes.<\/p>\n\n Why XYZ Age Verification:<\/strong><\/p>\n\n Free plan included:<\/strong><\/p>\n\n This plugin includes a free plan with 100 verification credits per month \u2014 no credit card required. Register directly from the plugin settings page with just your email. Credits reset monthly. Additional credit packs are available via PayPal for sites that need more capacity; your first purchase includes 300 bonus credits and switches your site to prepaid billing (credits do not expire or reset monthly).<\/p>\n\n How it works:<\/strong><\/p>\n\n Requirements:<\/strong><\/p>\n\n External service \u2014 XYZ Age Verification API:<\/strong><\/p>\n\n This plugin connects to the XYZ Age Verification API at When a visitor triggers verification, the plugin sends the visitor's country and state codes (derived from Cloudflare headers) to the API to create a verification session. The visitor then interacts directly with the verification UI hosted by the service. No biometric data passes through your WordPress server. The plugin polls the API for session status and receives only a pass\/fail result.<\/p>\n\n Complete feature list:<\/strong><\/p>\n\n Media files in The current model gates the entire site for visitors from configured regions, with the new Exempt Paths feature (2.5.4) allowing specific URLs to bypass the gate. A future release will add the inverse model \u2014 restricted paths<\/strong> \u2014 where the gate applies only to specific URL paths (e.g., Credit packs are available for purchase via PayPal at xyzinc.com\/credits<\/a>. Purchased credits persist until used \u2014 they do not expire or reset monthly. Multiple packs can be stacked. Your first purchase includes a bonus of 300 credits and switches your site to prepaid billing, replacing the monthly free credit allocation.<\/p>\n\n This plugin includes the following third-party library:<\/p>\n\n No build tools are required. The library is included as-is from the upstream repository with a minor CSS modification (image display style changed from \"block\" to \"inline-block\" for QR code placement). The unminified source is included for review.<\/p>\n\n\n Most plugins listed under \"age verification\" are technically age gates<\/strong> \u2014 a popup with a \"Yes, I'm 18+\" button or a date-of-birth dropdown. A minor can pass these in seconds by clicking the right button or picking a year. They satisfy a checkbox-level compliance requirement but do not actually verify that the visitor is an adult.<\/p>\n\n XYZ Age Verification performs real verification: a real-time selfie liveness check confirms a living person is present, and a trained classifier evaluates the probability that the person is a minor. Borderline cases automatically escalate to government ID verification. The result is a binary adult\/not-adult determination backed by biometrics or a verifiable identity document \u2014 not a click.<\/p>\n\n If a self-declaration popup is sufficient for your compliance needs, plenty of free plugins offer that. If you need real verification because of OFCOM, US state laws, EU requirements, or your platform's own policies, this plugin is built for that.<\/p><\/dd>\n Nowhere. Selfies, liveness frames, and government ID images are processed in real time by the verification service and discarded immediately after the session completes \u2014 regardless of the outcome. The only data retained is the verification result (pass\/fail), session metadata, a timestamp, and the visitor's IP address (for fraud detection). Date of birth from ID documents is used transiently for age calculation and then discarded. Full details are in the Privacy Policy<\/a>.<\/p>\n\n This is a fundamental architectural choice. The system does not maintain a database of faces, IDs, or verified identities, so there is no honeypot to breach.<\/p><\/dd>\n Yes. The plugin itself is completely free and open source. It connects to the XYZ Age Verification API, which includes a free plan with 100 verification credits per month \u2014 no credit card required. One credit is consumed per face liveness attempt, three credits total per document verification. Additional credit packs are available for purchase via PayPal at xyzinc.com\/credits<\/a>. Your first purchase includes 300 bonus credits and switches your site to a prepaid billing model \u2014 prepaid credits do not expire or reset monthly.<\/p><\/dd>\n Credits represent verification attempts. Each face liveness check (Tier 1) costs 1 credit. Each document verification (Tier 2) costs 3 credits total. Your free plan includes 100 credits per month, resetting on the first of each month. Unused credits do not roll over.<\/p><\/dd>\n For age thresholds of 18, most visitors complete verification with a quick selfie. The liveness check includes a minor-probability assessment, and any result that crosses a conservative threshold automatically escalates to government ID verification. This means most adult visitors never see the ID step, while visitors whose appearance is ambiguous are asked for verifiable proof.<\/p>\n\n For age thresholds above 18 (e.g., 21+ for alcohol, cannabis, or certain firearms content), ID verification is always required because a selfie alone cannot establish a specific age \u2014 only a date of birth from an ID document can. The plugin enforces this automatically for any region configured with a minimum age above 18.<\/p><\/dd>\n No. Tier 1 produces a binary adult\/not-adult determination, not an age estimate. The underlying classifier evaluates the probability that the subject is a minor; this probability drives the pass, fail, or escalate decision. The system never claims to know a visitor's age from a selfie. Specific age thresholds (21+, 25+, etc.) require Tier 2 because only an ID document supplies a verifiable date of birth.<\/p><\/dd>\n This depends on your API Failure Behavior<\/strong> setting. In \"fail open\" mode (the default), visitors are allowed through unverified. In \"fail closed\" mode, visitors are redirected to an error page until credits reset or you purchase additional credits. Verifications already in progress are allowed to complete. You can purchase credit packs at any time from xyzinc.com\/credits<\/a> \u2014 your first purchase includes 300 bonus credits.<\/p>\n\n European site operators with regulatory compliance obligations typically need \"fail closed.\"<\/p><\/dd>\n The plugin uses Cloudflare's There is no alternative geo-detection method that meets the plugin's accuracy and privacy requirements. Maxmind, IP2Location, and similar third-party databases are less accurate, require external lookups for every request, and would mean shipping IP addresses to additional services. Cloudflare's headers are calculated server-side by Cloudflare itself, with no extra request needed.<\/p>\n\n For more detail, see: Why XYZ Age Verification requires Cloudflare<\/a>.<\/p><\/dd>\n The plugin checks for three Cloudflare headers on admin page loads and shows a diagnostic notice if any are missing. There are three possible states:<\/p>\n\n The diagnostic reflects your current admin connection. If you administer the site via a VPN or another network that bypasses Cloudflare, the notice may appear even though visitors to your site are getting the headers correctly. The Cloudflare setup guide<\/a> walks through verifying headers from a normal visitor connection.<\/p><\/dd>\n Setting up Cloudflare means changing your domain's nameservers at your domain registrar to point at Cloudflare. Once Cloudflare is your DNS provider, all DNS records (A, AAAA, MX, TXT, CNAME) are managed in the Cloudflare dashboard instead of at your registrar.<\/p>\n\n The migration has implications worth understanding before you begin:<\/p>\n\n If you have never managed your own DNS, or if your site's email and other services are configured by someone else (a web host, an IT contractor), please read the Cloudflare setup guide<\/a> before installing this plugin. The guide focuses specifically on preserving email and other services during the migration.<\/p>\n\n If migrating to Cloudflare is not something you are comfortable doing or paying someone to do, this plugin is not the right choice.<\/strong> Simpler self-declaration age gate plugins do not require infrastructure changes, but they are not real verification \u2014 they are popups with no enforcement. Choose based on what your compliance obligations actually require.<\/p><\/dd>\n Yes, as of version 2.5.4. The plugin supports an Exempt Paths<\/strong> list \u2014 specific URLs that bypass the age gate entirely, even for visitors from gated regions. Common uses:<\/p>\n\n Exact paths and Important: do not exempt paths that contain age-restricted content.<\/strong> Exemption means the path is accessible to all visitors regardless of region \u2014 including any underage visitors who might attempt to reach it directly.<\/p><\/dd>\n The behavior is controlled by the API Failure Behavior<\/strong> setting on the Age Verification settings page. \"Fail open\" (the default) allows visitors through unverified to prevent your site from going offline. \"Fail closed\" redirects visitors to an error page. Sites with compliance obligations should generally use \"fail closed.\"<\/p><\/dd>\n The MU plugin ( No.<\/strong> WP Rocket's page cache serves static HTML files via its The verification cookie is cryptographically signed using HMAC-SHA256. Setting a fake cookie value will not pass signature verification. The verification logic runs at the must-use plugin level before any plugin-level code that could be tampered with via WordPress filters or hooks.<\/p><\/dd>\n No. The The gate runs at the must-use plugin level, which executes before WordPress loads user roles. At this stage the plugin can detect that a visitor is logged in but cannot distinguish between an administrator and a regular member. As a result, all logged-in WordPress users bypass the gate<\/strong>, not just administrators.<\/p>\n\n For most sites this is not an issue \u2014 anonymous visitors are verified before they can register or log in, so members have already passed verification. However, if your site requires re-verification for content that logged-in members can also access (e.g., tiered content where some sections require re-verification), this plugin alone is not a fit for that use case. Plan your registration flow with this behavior in mind.<\/p>\n\n If you need tighter integration with membership levels \u2014 for example, requiring different verification tiers for different membership levels, or protecting media files based on membership \u2014 XYZ Protect<\/a> integrates directly with MemberPress and Paid Memberships Pro to provide membership-aware authorization. It is a separate licensed plugin available at xyzinc.com.<\/p><\/dd>\n\n
\n
\n
\n
\n
\n
CF-IPCountry<\/code> and CF-Region-Code<\/code>). See the \"Cloudflare is required\" section above for the implications of changing your DNS.<\/li>\nhttps:\/\/age-verify.xyzinc.com<\/code>, operated by XY Zinc (a brand of Chaos Unlimited LLC), to perform biometric liveness detection and government ID document verification. The plugin cannot function without this service \u2014 it is the core verification engine.<\/p>\n\n\n
\n
Planned Features<\/h3>\n\n
Media file protection \u2014 available now in XYZ Protect<\/h4>\n\n
\/wp-content\/uploads\/<\/code> are served directly by your web server and do not pass through WordPress PHP execution, so a free WordPress plugin cannot restrict them. XYZ Protect<\/a> is a separate licensed plugin that solves this problem using a Cloudflare Worker \u2014 every media request is authorized before the file is served. XYZ Protect can be combined with this plugin for sites that need both page gating and file-level protection.<\/p>\n\nRestricted path mode (planned)<\/h4>\n\n
\/mature\/<\/code>, \/adult-content\/<\/code>) and the rest of the site is accessible without verification.<\/p>\n\n\n
Additional credit packs (available now)<\/h4>\n\n
Third-Party Libraries<\/h3>\n\n
\n
\n
assets\/js\/qrcode.js<\/code> (unminified source), assets\/js\/qrcode.min.js<\/code> (minified)<\/li>\n<\/ul><\/li>\n<\/ul>\n\n\n
xyz-age-verification-free<\/code> folder to \/wp-content\/plugins\/<\/code>.<\/li>\nage-gate<\/code> and add the [xyzav_age_verify]<\/code> shortcode to its content.<\/li>\nmu-plugin\/xyz-age-gate-redirect.php<\/code> from the plugin folder to \/wp-content\/mu-plugins\/<\/code>. Create the mu-plugins<\/code> directory if it does not exist.<\/li>\n\/age-gate\/<\/code> from caching. Note: WP Rocket is not compatible<\/strong> (see FAQ).<\/li>\n\n
How is this different from other age verification plugins on WordPress.org?<\/h3><\/dt>\n
Where is my biometric data stored?<\/h3><\/dt>\n
Is this plugin free?<\/h3><\/dt>\n
What are verification credits?<\/h3><\/dt>\n
How does the system decide when to ask for ID?<\/h3><\/dt>\n
Does Tier 1 estimate the visitor's age?<\/h3><\/dt>\n
What happens when my credits run out?<\/h3><\/dt>\n
Why does this plugin require Cloudflare?<\/h3><\/dt>\n
CF-IPCountry<\/code> and CF-Region-Code<\/code> headers to identify the country and (in the US) state that each visitor is connecting from. These headers are automatically added by Cloudflare's network when your site is proxied through it. Without these headers, the plugin has no reliable way to determine where a visitor is connecting from, and region-specific verification rules cannot work.<\/p>\n\nThe plugin shows a notice about missing Cloudflare headers. What does it mean?<\/h3><\/dt>\n
\n
CF-Ray<\/code> header at all<\/strong> \u2014 your site is not currently being served through Cloudflare. Either DNS migration is incomplete, or the proxy (orange cloud) is disabled on your A\/AAAA records. Region-based verification cannot work until this is resolved.<\/li>\nCF-Ray<\/code> present, but no CF-IPCountry<\/code><\/strong> \u2014 Cloudflare is in front of your site, but IP Geolocation is disabled. Enable it under Rules \u2192 Managed Transforms \u2192 Add visitor location headers<\/strong> in the Cloudflare dashboard. Available on the free plan.<\/li>\nCF-IPCountry<\/code> present, but no CF-Region-Code<\/code><\/strong> \u2014 country-level rules work, but US state and other subdivision-level rules will not. Enable the full \"Add visitor location headers\" Managed Transform (not just the country variant) in the Cloudflare dashboard. Available on the free plan.<\/li>\n<\/ul>\n\nWhat does \"setting up Cloudflare\" actually involve?<\/h3><\/dt>\n
\n
Can visitors see my homepage or registration page without going through verification?<\/h3><\/dt>\n
\n
\/<\/code> \u2014 your homepage, so visitors can see what the site is before deciding to verify<\/li>\n\/privacy-policy\/<\/code>, \/terms\/<\/code> \u2014 legal pages that must be accessible without verification<\/li>\n\/register\/<\/code>, \/login\/<\/code>, \/contact\/<\/code> \u2014 onboarding and contact pages<\/li>\n<\/ul>\n\n\/*<\/code> wildcard prefixes are supported (e.g., \/public\/*<\/code> exempts everything under \/public\/<\/code>). Configure exempt paths in the new Exempt Paths<\/strong> tab in the plugin admin.<\/p>\n\nWhat happens if the API is unreachable?<\/h3><\/dt>\n
What is the must-use plugin for?<\/h3><\/dt>\n
xyz-age-gate-redirect.php<\/code>) runs early in the WordPress loading process, before most plugins. It checks Cloudflare geo headers and the verification cookie on every request, redirecting unverified visitors to the age gate page. This early execution is essential for the gate to work reliably and to prevent unverified visitors from briefly seeing protected content.<\/p><\/dd>\nIs this plugin compatible with WP Rocket?<\/h3><\/dt>\n
advanced-cache.php<\/code> drop-in, which executes before must-use plugins load. This means WP Rocket can serve cached pages to unverified visitors, bypassing the gate entirely. WP Rocket does not currently offer a way to conditionally cache based on cookie presence. Other page cache plugins that respect the standard WordPress loading order are compatible \u2014 just exclude \/age-gate\/<\/code> from caching. Confirmed compatible: WP Super Cache (Simple mode only), Jetpack Boost, and W3 Total Cache.<\/p><\/dd>\nCan visitors bypass the gate with browser dev tools?<\/h3><\/dt>\n
Will the gate block me from my own WordPress admin?<\/h3><\/dt>\n
\/wp-admin\/<\/code> area and the login page are always exempted. All logged-in WordPress users are automatically bypassed at the redirect level, so administrators, editors, and other authenticated users will not encounter the gate while browsing the site.<\/p><\/dd>\nHow does this work with membership or subscriber sites?<\/h3><\/dt>\n