XYZ Age Verification

Preguntas frecuentes

How is this different from other age verification plugins on WordPress.org?

Most plugins listed under “age verification” are technically age gates — a popup with a “Yes, I’m 18+” button or a date-of-birth dropdown. A minor can pass these in seconds by clicking the right button or picking a year. They satisfy a checkbox-level compliance requirement but do not actually verify that the visitor is an adult.

XYZ Age Verification performs real verification: a real-time selfie liveness check confirms a living person is present, and a trained classifier evaluates the probability that the person is a minor. Borderline cases automatically escalate to government ID verification. The result is a binary adult/not-adult determination backed by biometrics or a verifiable identity document — not a click.

If a self-declaration popup is sufficient for your compliance needs, plenty of free plugins offer that. If you need real verification because of OFCOM, US state laws, EU requirements, or your platform’s own policies, this plugin is built for that.

Where is my biometric data stored?

Nowhere. Selfies, liveness frames, and government ID images are processed in real time by the verification service and discarded immediately after the session completes — regardless of the outcome. The only data retained is the verification result (pass/fail), session metadata, a timestamp, and the visitor’s IP address (for fraud detection). Date of birth from ID documents is used transiently for age calculation and then discarded. Full details are in the Privacy Policy.

This is a fundamental architectural choice. The system does not maintain a database of faces, IDs, or verified identities, so there is no honeypot to breach.

Is this plugin free?

Yes. The plugin itself is completely free and open source. It connects to the XYZ Age Verification API, which includes a free plan with 100 verification credits per month — no credit card required. One credit is consumed per face liveness attempt, three credits total per document verification. Additional credit packs are available for purchase via PayPal at xyzinc.com/credits. Your first purchase includes 300 bonus credits and switches your site to a prepaid billing model — prepaid credits do not expire or reset monthly.

What are verification credits?

Credits represent verification attempts. Each face liveness check (Tier 1) costs 1 credit. Each document verification (Tier 2) costs 3 credits total. Your free plan includes 100 credits per month, resetting on the first of each month. Unused credits do not roll over.

How does the system decide when to ask for ID?

For age thresholds of 18, most visitors complete verification with a quick selfie. The liveness check includes a minor-probability assessment, and any result that crosses a conservative threshold automatically escalates to government ID verification. This means most adult visitors never see the ID step, while visitors whose appearance is ambiguous are asked for verifiable proof.

For age thresholds above 18 (e.g., 21+ for alcohol, cannabis, or certain firearms content), ID verification is always required because a selfie alone cannot establish a specific age — only a date of birth from an ID document can. The plugin enforces this automatically for any region configured with a minimum age above 18.

Does Tier 1 estimate the visitor’s age?

No. Tier 1 produces a binary adult/not-adult determination, not an age estimate. The underlying classifier evaluates the probability that the subject is a minor; this probability drives the pass, fail, or escalate decision. The system never claims to know a visitor’s age from a selfie. Specific age thresholds (21+, 25+, etc.) require Tier 2 because only an ID document supplies a verifiable date of birth.

What happens when my credits run out?

This depends on your API Failure Behavior setting. In “fail open” mode (the default), visitors are allowed through unverified. In “fail closed” mode, visitors are redirected to an error page until credits reset or you purchase additional credits. Verifications already in progress are allowed to complete. You can purchase credit packs at any time from xyzinc.com/credits — your first purchase includes 300 bonus credits.

European site operators with regulatory compliance obligations typically need “fail closed.”

Why does this plugin require Cloudflare?

The plugin uses Cloudflare’s CF-IPCountry and CF-Region-Code headers to identify the country and (in the US) state that each visitor is connecting from. These headers are automatically added by Cloudflare’s network when your site is proxied through it. Without these headers, the plugin has no reliable way to determine where a visitor is connecting from, and region-specific verification rules cannot work.

There is no alternative geo-detection method that meets the plugin’s accuracy and privacy requirements. Maxmind, IP2Location, and similar third-party databases are less accurate, require external lookups for every request, and would mean shipping IP addresses to additional services. Cloudflare’s headers are calculated server-side by Cloudflare itself, with no extra request needed.

For more detail, see: Why XYZ Age Verification requires Cloudflare.

The plugin shows a notice about missing Cloudflare headers. What does it mean?

The plugin checks for three Cloudflare headers on admin page loads and shows a diagnostic notice if any are missing. There are three possible states:

• No CF-Ray header at all — your site is not currently being served through Cloudflare. Either DNS migration is incomplete, or the proxy (orange cloud) is disabled on your A/AAAA records. Region-based verification cannot work until this is resolved.
• CF-Ray present, but no CF-IPCountry — Cloudflare is in front of your site, but IP Geolocation is disabled. Enable it under Rules → Managed Transforms → Add visitor location headers in the Cloudflare dashboard. Available on the free plan.
• CF-IPCountry present, but no CF-Region-Code — country-level rules work, but US state and other subdivision-level rules will not. Enable the full “Add visitor location headers” Managed Transform (not just the country variant) in the Cloudflare dashboard. Available on the free plan.

The diagnostic reflects your current admin connection. If you administer the site via a VPN or another network that bypasses Cloudflare, the notice may appear even though visitors to your site are getting the headers correctly. The Cloudflare setup guide walks through verifying headers from a normal visitor connection.

What does “setting up Cloudflare” actually involve?

Setting up Cloudflare means changing your domain’s nameservers at your domain registrar to point at Cloudflare. Once Cloudflare is your DNS provider, all DNS records (A, AAAA, MX, TXT, CNAME) are managed in the Cloudflare dashboard instead of at your registrar.

The migration has implications worth understanding before you begin:

• Email records must be preserved. If your domain has email (MX records, SPF, DKIM, DMARC), those records must be re-created in Cloudflare exactly as they were before. If they are not, your email will stop working.
• Existing services that depend on DNS — subdomain configurations, third-party integrations that ask you to add TXT records, SSL certificates managed outside Cloudflare — may need attention.
• DNS changes are not instant. Nameserver changes can take up to 48 hours to propagate worldwide. Mistakes made during migration are not immediately reversible.

If you have never managed your own DNS, or if your site’s email and other services are configured by someone else (a web host, an IT contractor), please read the Cloudflare setup guide before installing this plugin. The guide focuses specifically on preserving email and other services during the migration.

If migrating to Cloudflare is not something you are comfortable doing or paying someone to do, this plugin is not the right choice. Simpler self-declaration age gate plugins do not require infrastructure changes, but they are not real verification — they are popups with no enforcement. Choose based on what your compliance obligations actually require.

Can visitors see my homepage or registration page without going through verification?

Yes, as of version 2.5.4. The plugin supports an Exempt Paths list — specific URLs that bypass the age gate entirely, even for visitors from gated regions. Common uses:

• / — your homepage, so visitors can see what the site is before deciding to verify
• /privacy-policy/, /terms/ — legal pages that must be accessible without verification
• /register/, /login/, /contact/ — onboarding and contact pages

Exact paths and /* wildcard prefixes are supported (e.g., /public/* exempts everything under /public/). Configure exempt paths in the new Exempt Paths tab in the plugin admin.

Important: do not exempt paths that contain age-restricted content. Exemption means the path is accessible to all visitors regardless of region — including any underage visitors who might attempt to reach it directly.

What happens if the API is unreachable?

The behavior is controlled by the API Failure Behavior setting on the Age Verification settings page. “Fail open” (the default) allows visitors through unverified to prevent your site from going offline. “Fail closed” redirects visitors to an error page. Sites with compliance obligations should generally use “fail closed.”

What is the must-use plugin for?

The MU plugin (xyz-age-gate-redirect.php) runs early in the WordPress loading process, before most plugins. It checks Cloudflare geo headers and the verification cookie on every request, redirecting unverified visitors to the age gate page. This early execution is essential for the gate to work reliably and to prevent unverified visitors from briefly seeing protected content.

Is this plugin compatible with WP Rocket?

No. WP Rocket’s page cache serves static HTML files via its advanced-cache.php drop-in, which executes before must-use plugins load. This means WP Rocket can serve cached pages to unverified visitors, bypassing the gate entirely. WP Rocket does not currently offer a way to conditionally cache based on cookie presence. Other page cache plugins that respect the standard WordPress loading order are compatible — just exclude /age-gate/ from caching. Confirmed compatible: WP Super Cache (Simple mode only), Jetpack Boost, and W3 Total Cache.

Can visitors bypass the gate with browser dev tools?

The verification cookie is cryptographically signed using HMAC-SHA256. Setting a fake cookie value will not pass signature verification. The verification logic runs at the must-use plugin level before any plugin-level code that could be tampered with via WordPress filters or hooks.

Will the gate block me from my own WordPress admin?

No. The /wp-admin/ area and the login page are always exempted. All logged-in WordPress users are automatically bypassed at the redirect level, so administrators, editors, and other authenticated users will not encounter the gate while browsing the site.

How does this work with membership or subscriber sites?

The gate runs at the must-use plugin level, which executes before WordPress loads user roles. At this stage the plugin can detect that a visitor is logged in but cannot distinguish between an administrator and a regular member. As a result, all logged-in WordPress users bypass the gate, not just administrators.

For most sites this is not an issue — anonymous visitors are verified before they can register or log in, so members have already passed verification. However, if your site requires re-verification for content that logged-in members can also access (e.g., tiered content where some sections require re-verification), this plugin alone is not a fit for that use case. Plan your registration flow with this behavior in mind.

If you need tighter integration with membership levels — for example, requiring different verification tiers for different membership levels, or protecting media files based on membership — XYZ Protect integrates directly with MemberPress and Paid Memberships Pro to provide membership-aware authorization. It is a separate licensed plugin available at xyzinc.com.

What is the Cookie Signing Key?

The Cookie Signing Key is an HMAC-SHA256 secret used to cryptographically sign verification cookies. This prevents visitors from forging a verification cookie. The key is generated per-site by the XYZ API. Click “Fetch from API” on the settings page to set it up automatically.

How do I know if the plugin is configured correctly?

The settings page includes a Setup Checklist that shows green checkmarks for completed steps and red Xs for missing items. There is also an API Status indicator that tests the connection to the XYZ verification API. Click the Help tab at the top-right of the settings page for a full setup guide and troubleshooting tips.

How do I test the age gate without being in a configured region?

Enable Test Mode in Settings > Age Verification. Once enabled, anyone can add a ?reg= query string parameter to any page URL to simulate a visitor from that region. For example, ?reg=US-TX simulates a visitor from Texas, USA, and ?reg=DE simulates a visitor from Germany. Test mode bypasses both the verification cookie and the logged-in user exemption, so you experience the full verification flow. This works in incognito/private browsing windows without a WordPress login, which is the most common way to test as an anonymous visitor. Remember to disable test mode when you are finished — a persistent admin notice will remind you.

Does this plugin protect files in wp-content/uploads?

No. The gate applies to WordPress pages and posts — it does not restrict direct access to media files served from /wp-content/uploads/. If a visitor knows or guesses the direct URL to an uploaded file, they can access it without verification. This is a limitation of the WordPress architecture: media files are served directly by the web server (Apache/Nginx) and do not pass through WordPress’s PHP execution. Protecting uploaded files requires server-level configuration beyond what a free WordPress plugin can provide.

For full media file protection alongside age verification — covering images, videos, PDFs, and audio in /wp-content/uploads/ — see XYZ Protect at xyzinc.com. XYZ Protect adds a Cloudflare Worker layer that authorizes every media request before serving the file.

What is the minimum age setting?

Each region can have its own minimum age threshold (default is 18). For regions with a minimum age above 18, the plugin automatically requires Tier 2 verification (government ID) because Tier 1 (face liveness) can only assess minor probability, not exact age. The ID document is needed to extract the date of birth for precise age calculation.