Readme overhaul plus a fix for a 404 error when editing country-wide regions in the admin. Recommended for all users with country-level regions configured.<\/p>","2.5.1":"
Adds credit pack purchasing via PayPal with a 300-credit bonus on first purchase. Recommended for sites needing more than 100 verifications per month.<\/p>","2.5.0":"
Interstitial consent gate eliminates passive bot session creation. Visitor IP now passed to API for per-IP rate limiting. Recommended for all users, especially high-traffic sites.<\/p>","2.4.2":"
MU plugin cookie handling optimization and improved phpcs annotations.<\/p>","2.4.1":"
Security and compliance improvements for WordPress.org review. Free Plan Admin now uses WP REST API. MU plugin redirect URLs are HMAC-verified. Recommended for all users.<\/p>","2.3.0":"
New free plan with 100 monthly credits, built-in region management, configurable fail behavior, and detailed verification history. Recommended for all users.<\/p>","2.2.0":"
Security improvements including signed cookies, test mode, and setup checklist. Recommended for all users.<\/p>","2.1.0":"
Critical security fix \u2014 removes region parameter override vulnerability. Update immediately.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3482278,"resolution":"128x128","location":"assets","locale":"","width":128,"height":128},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3482278,"resolution":"256x256","location":"assets","locale":"","width":256,"height":256}},"assets_banners":{"banner-772x250.png":{"filename":"banner-772x250.png","revision":3482278,"resolution":"772x250","location":"assets","locale":"","width":772,"height":250}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["2.4.2","2.5.0","2.5.1","2.5.2","2.5.3"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3482278,"resolution":"1","location":"assets","locale":"","width":765,"height":360},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3482278,"resolution":"2","location":"assets","locale":"","width":921,"height":766},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3482278,"resolution":"3","location":"assets","locale":"","width":1294,"height":512},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3482278,"resolution":"4","location":"assets","locale":"","width":1306,"height":1183},"screenshot-5.png":{"filename":"screenshot-5.png","revision":3482278,"resolution":"5","location":"assets","locale":"","width":704,"height":357},"screenshot-6.png":{"filename":"screenshot-6.png","revision":3482278,"resolution":"6","location":"assets","locale":"","width":775,"height":1250}},"screenshots":{"1":"Settings page with setup checklist and API health check","2":"Age verification page with QR code and verification options","3":"Region management with minimum age configuration","4":"Recent verifications with detailed attempt history","5":"Plan status showing credit usage and remaining balance","6":"Test mode in action \u2014 simulating a region with ?reg= parameter"}},"plugin_section":[],"plugin_tags":[139798,70877,41695,5616,5617],"plugin_category":[],"plugin_contributors":[257723],"plugin_business_model":[],"class_list":["post-286954","plugin","type-plugin","status-publish","hentry","plugin_tags-adults-only","plugin_tags-age-gate","plugin_tags-age-restriction","plugin_tags-age-verification","plugin_tags-age-verify","plugin_contributors-xyzageverify","plugin_committers-xyzageverify"],"banners":{"banner":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/banner-772x250.png?rev=3482278","banner_2x":false,"banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/icon-128x128.png?rev=3482278","icon_2x":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/icon-256x256.png?rev=3482278","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/screenshot-1.png?rev=3482278","caption":"Settings page with setup checklist and API health check"},{"src":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/screenshot-2.png?rev=3482278","caption":"Age verification page with QR code and verification options"},{"src":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/screenshot-3.png?rev=3482278","caption":"Region management with minimum age configuration"},{"src":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/screenshot-4.png?rev=3482278","caption":"Recent verifications with detailed attempt history"},{"src":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/screenshot-5.png?rev=3482278","caption":"Plan status showing credit usage and remaining balance"},{"src":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/screenshot-6.png?rev=3482278","caption":"Test mode in action \u2014 simulating a region with ?reg= parameter"}],"raw_content":"\n
Most WordPress age verification plugins are age gates<\/strong> \u2014 a popup that asks visitors to click \"Yes, I'm 18+\" or pick a birthday from a dropdown. Anyone, including a minor, can click through in under a second. That used to be the standard. It is no longer a defensible compliance measure under the UK Online Safety Act, US state age verification laws (Texas, Louisiana, Virginia, and a growing list), or EU age assurance requirements under the Digital Services Act.<\/p>\n\n XYZ Age Verification is different. It confirms visitors are adults using a real-time selfie liveness check, with automatic escalation to government ID verification for borderline cases or stricter age thresholds. No biometric data is stored.<\/strong> No checkbox to lie to. No date-of-birth dropdown that a child can spin in five seconds.<\/p>\n\n When you need this plugin:<\/strong><\/p>\n\n Why XYZ Age Verification:<\/strong><\/p>\n\n Free plan included:<\/strong><\/p>\n\n This plugin includes a free plan with 100 verification credits per month \u2014 no credit card required. Register directly from the plugin settings page with just your email. Credits reset monthly. Additional credit packs are available via PayPal for sites that need more capacity; your first purchase includes 300 bonus credits and switches your site to prepaid billing (credits do not expire or reset monthly).<\/p>\n\n How it works:<\/strong><\/p>\n\n Requirements:<\/strong><\/p>\n\n External service \u2014 XYZ Age Verification API:<\/strong><\/p>\n\n This plugin connects to the XYZ Age Verification API at When a visitor triggers verification, the plugin sends the visitor's country and state codes (derived from Cloudflare headers) to the API to create a verification session. The visitor then interacts directly with the verification UI hosted by the service. No biometric data passes through your WordPress server. The plugin polls the API for session status and receives only a pass\/fail result.<\/p>\n\n Complete feature list:<\/strong><\/p>\n\n Media files in Currently the gate applies to your entire site based on visitor region. A future release will add a restricted paths<\/strong> mode, allowing site owners to gate only specific URL paths (e.g., Credit packs are available for purchase via PayPal at xyzinc.com\/credits<\/a>. Purchased credits persist until used \u2014 they do not expire or reset monthly. Multiple packs can be stacked. Your first purchase includes a bonus of 300 credits and switches your site to prepaid billing, replacing the monthly free credit allocation.<\/p>\n\n This plugin includes the following third-party library:<\/p>\n\n No build tools are required. The library is included as-is from the upstream repository with a minor CSS modification (image display style changed from \"block\" to \"inline-block\" for QR code placement). The unminified source is included for review.<\/p>\n\n\n Most plugins listed under \"age verification\" are technically age gates<\/strong> \u2014 a popup with a \"Yes, I'm 18+\" button or a date-of-birth dropdown. A minor can pass these in seconds by clicking the right button or picking a year. They satisfy a checkbox-level compliance requirement but do not actually verify that the visitor is an adult.<\/p>\n\n XYZ Age Verification performs real verification: a real-time selfie liveness check confirms a living person is present, and a trained classifier evaluates the probability that the person is a minor. Borderline cases automatically escalate to government ID verification. The result is a binary adult\/not-adult determination backed by biometrics or a verifiable identity document \u2014 not a click.<\/p>\n\n If a self-declaration popup is sufficient for your compliance needs, plenty of free plugins offer that. If you need real verification because of OFCOM, US state laws, EU requirements, or your platform's own policies, this plugin is built for that.<\/p><\/dd>\n Nowhere. Selfies, liveness frames, and government ID images are processed in real time by the verification service and discarded immediately after the session completes \u2014 regardless of the outcome. The only data retained is the verification result (pass\/fail), session metadata, a timestamp, and the visitor's IP address (for fraud detection). Date of birth from ID documents is used transiently for age calculation and then discarded. Full details are in the Privacy Policy<\/a>.<\/p>\n\n This is a fundamental architectural choice. The system does not maintain a database of faces, IDs, or verified identities, so there is no honeypot to breach.<\/p><\/dd>\n Yes. The plugin itself is completely free and open source. It connects to the XYZ Age Verification API, which includes a free plan with 100 verification credits per month \u2014 no credit card required. One credit is consumed per face liveness attempt, three credits total per document verification. Additional credit packs are available for purchase via PayPal at xyzinc.com\/credits<\/a>. Your first purchase includes 300 bonus credits and switches your site to a prepaid billing model \u2014 prepaid credits do not expire or reset monthly.<\/p><\/dd>\n Credits represent verification attempts. Each face liveness check (Tier 1) costs 1 credit. Each document verification (Tier 2) costs 3 credits total. Your free plan includes 100 credits per month, resetting on the first of each month. Unused credits do not roll over.<\/p><\/dd>\n For age thresholds of 18, most visitors complete verification with a quick selfie. The liveness check includes a minor-probability assessment, and any result that crosses a conservative threshold automatically escalates to government ID verification. This means most adult visitors never see the ID step, while visitors whose appearance is ambiguous are asked for verifiable proof.<\/p>\n\n For age thresholds above 18 (e.g., 21+ for alcohol, cannabis, or certain firearms content), ID verification is always required because a selfie alone cannot establish a specific age \u2014 only a date of birth from an ID document can. The plugin enforces this automatically for any region configured with a minimum age above 18.<\/p><\/dd>\n No. Tier 1 produces a binary adult\/not-adult determination, not an age estimate. The underlying classifier evaluates the probability that the subject is a minor; this probability drives the pass, fail, or escalate decision. The system never claims to know a visitor's age from a selfie. Specific age thresholds (21+, 25+, etc.) require Tier 2 because only an ID document supplies a verifiable date of birth.<\/p><\/dd>\n This depends on your API Failure Behavior<\/strong> setting. In \"fail open\" mode (the default), visitors are allowed through unverified. In \"fail closed\" mode, visitors are redirected to an error page until credits reset or you purchase additional credits. Verifications already in progress are allowed to complete. You can purchase credit packs at any time from xyzinc.com\/credits<\/a> \u2014 your first purchase includes 300 bonus credits.<\/p>\n\n European site operators with regulatory compliance obligations typically need \"fail closed.\"<\/p><\/dd>\n The plugin uses Cloudflare's The behavior is controlled by the API Failure Behavior<\/strong> setting on the Age Verification settings page. \"Fail open\" (the default) allows visitors through unverified to prevent your site from going offline. \"Fail closed\" redirects visitors to an error page. Sites with compliance obligations should generally use \"fail closed.\"<\/p><\/dd>\n The MU plugin ( No.<\/strong> WP Rocket's page cache serves static HTML files via its The verification cookie is cryptographically signed using HMAC-SHA256. Setting a fake cookie value will not pass signature verification. The verification logic runs at the must-use plugin level before any plugin-level code that could be tampered with via WordPress filters or hooks.<\/p><\/dd>\n No. The The gate runs at the must-use plugin level, which executes before WordPress loads user roles. At this stage the plugin can detect that a visitor is logged in but cannot distinguish between an administrator and a regular member. As a result, all logged-in WordPress users bypass the gate<\/strong>, not just administrators.<\/p>\n\n For most sites this is not an issue \u2014 anonymous visitors are verified before they can register or log in, so members have already passed verification. However, if your site requires re-verification for content that logged-in members can also access (e.g., tiered content where some sections require re-verification), this plugin alone is not a fit for that use case. Plan your registration flow with this behavior in mind.<\/p>\n\n If you need tighter integration with membership levels \u2014 for example, requiring different verification tiers for different membership levels, or protecting media files based on membership \u2014 XYZ Protect<\/a> integrates directly with MemberPress and Paid Memberships Pro to provide membership-aware authorization. It is a separate licensed plugin available at xyzinc.com.<\/p><\/dd>\n\n
\n
\n
\n
CF-IPCountry<\/code> and CF-Region-Code<\/code>)<\/li>\nhttps:\/\/age-verify.xyzinc.com<\/code>, operated by XY Zinc (a brand of Chaos Unlimited LLC), to perform biometric liveness detection and government ID document verification. The plugin cannot function without this service \u2014 it is the core verification engine.<\/p>\n\n\n
\n
Planned Features<\/h3>\n\n
Media file protection \u2014 available now in XYZ Protect<\/h4>\n\n
\/wp-content\/uploads\/<\/code> are served directly by your web server and do not pass through WordPress PHP execution, so a free WordPress plugin cannot restrict them. XYZ Protect<\/a> is a separate licensed plugin that solves this problem using a Cloudflare Worker \u2014 every media request is authorized before the file is served. XYZ Protect can be combined with this plugin for sites that need both page gating and file-level protection.<\/p>\n\nRestricted path mode<\/h4>\n\n
\/mature\/<\/code>, \/adult-content\/<\/code>) while leaving the rest of the site accessible. This is ideal for sites that contain a mix of general and age-restricted content \u2014 sexuality education sites, media outlets with adult sections, or e-commerce stores with age-restricted product categories.<\/p>\n\nAdditional credit packs (available now)<\/h4>\n\n
Third-Party Libraries<\/h3>\n\n
\n
\n
assets\/js\/qrcode.js<\/code> (unminified source), assets\/js\/qrcode.min.js<\/code> (minified)<\/li>\n<\/ul><\/li>\n<\/ul>\n\n\n
xyz-age-verification-free<\/code> folder to \/wp-content\/plugins\/<\/code>.<\/li>\nage-gate<\/code> and add the [xyzav_age_verify]<\/code> shortcode to its content.<\/li>\nmu-plugin\/xyz-age-gate-redirect.php<\/code> from the plugin folder to \/wp-content\/mu-plugins\/<\/code>. Create the mu-plugins<\/code> directory if it does not exist.<\/li>\n\/age-gate\/<\/code> from caching. Note: WP Rocket is not compatible<\/strong> (see FAQ).<\/li>\n\n
How is this different from other age verification plugins on WordPress.org?<\/h3><\/dt>\n
Where is my biometric data stored?<\/h3><\/dt>\n
Is this plugin free?<\/h3><\/dt>\n
What are verification credits?<\/h3><\/dt>\n
How does the system decide when to ask for ID?<\/h3><\/dt>\n
Does Tier 1 estimate the visitor's age?<\/h3><\/dt>\n
What happens when my credits run out?<\/h3><\/dt>\n
Why does this plugin require Cloudflare?<\/h3><\/dt>\n
CF-IPCountry<\/code> and CF-Region-Code<\/code> headers to determine visitor location for region-specific verification rules. These headers are added automatically when your site is proxied through Cloudflare. A free Cloudflare plan provides these headers.<\/p><\/dd>\nWhat happens if the API is unreachable?<\/h3><\/dt>\n
What is the must-use plugin for?<\/h3><\/dt>\n
xyz-age-gate-redirect.php<\/code>) runs early in the WordPress loading process, before most plugins. It checks Cloudflare geo headers and the verification cookie on every request, redirecting unverified visitors to the age gate page. This early execution is essential for the gate to work reliably and to prevent unverified visitors from briefly seeing protected content.<\/p><\/dd>\nIs this plugin compatible with WP Rocket?<\/h3><\/dt>\n
advanced-cache.php<\/code> drop-in, which executes before must-use plugins load. This means WP Rocket can serve cached pages to unverified visitors, bypassing the gate entirely. WP Rocket does not currently offer a way to conditionally cache based on cookie presence. Other page cache plugins that respect the standard WordPress loading order are compatible \u2014 just exclude \/age-gate\/<\/code> from caching. Confirmed compatible: WP Super Cache (Simple mode only), Jetpack Boost, and W3 Total Cache.<\/p><\/dd>\nCan visitors bypass the gate with browser dev tools?<\/h3><\/dt>\n
Will the gate block me from my own WordPress admin?<\/h3><\/dt>\n
\/wp-admin\/<\/code> area and the login page are always exempted. All logged-in WordPress users are automatically bypassed at the redirect level, so administrators, editors, and other authenticated users will not encounter the gate while browsing the site.<\/p><\/dd>\nHow does this work with membership or subscriber sites?<\/h3><\/dt>\n