XYZ Age Verification

Most plugins listed under "age verification" are technically age gates — a popup with a "Yes, I'm 18+" button or a date-of-birth dropdown. A minor can pass these in seconds by clicking the right button or picking a year. They satisfy a checkbox-level compliance requirement but do not actually verify that the visitor is an adult. XYZ Age Verification performs real verification: a real-time selfie liveness check confirms a living person is present, and a trained classifier evaluates the probability that the person is a minor. Borderline cases automatically escalate to government ID verification. The result is a binary adult/not-adult determination backed by biometrics or a verifiable identity document — not a click. If a self-declaration popup is sufficient for your compliance needs, plenty of free plugins offer that. If you need real verification because of OFCOM, US state laws, EU requirements, or your platform's own policies, this plugin is built for that.

Nowhere. Selfies, liveness frames, and government ID images are processed in real time by the verification service and discarded immediately after the session completes — regardless of the outcome. The only data retained is the verification result (pass/fail), session metadata, a timestamp, and the visitor's IP address (for fraud detection). Date of birth from ID documents is used transiently for age calculation and then discarded. Full details are in the Privacy Policy. This is a fundamental architectural choice. The system does not maintain a database of faces, IDs, or verified identities, so there is no honeypot to breach.

Yes. The plugin itself is completely free and open source. It connects to the XYZ Age Verification API, which includes a free plan with 100 verification credits per month — no credit card required. One credit is consumed per face liveness attempt, three credits total per document verification. Additional credit packs are available for purchase via PayPal at xyzinc.com/credits. Your first purchase includes 300 bonus credits and switches your site to a prepaid billing model — prepaid credits do not expire or reset monthly.

Credits represent verification attempts. Each face liveness check (Tier 1) costs 1 credit. Each document verification (Tier 2) costs 3 credits total. Your free plan includes 100 credits per month, resetting on the first of each month. Unused credits do not roll over.

For age thresholds of 18, most visitors complete verification with a quick selfie. The liveness check includes a minor-probability assessment, and any result that crosses a conservative threshold automatically escalates to government ID verification. This means most adult visitors never see the ID step, while visitors whose appearance is ambiguous are asked for verifiable proof. For age thresholds above 18 (e.g., 21+ for alcohol, cannabis, or certain firearms content), ID verification is always required because a selfie alone cannot establish a specific age — only a date of birth from an ID document can. The plugin enforces this automatically for any region configured with a minimum age above 18.

No. Tier 1 produces a binary adult/not-adult determination, not an age estimate. The underlying classifier evaluates the probability that the subject is a minor; this probability drives the pass, fail, or escalate decision. The system never claims to know a visitor's age from a selfie. Specific age thresholds (21+, 25+, etc.) require Tier 2 because only an ID document supplies a verifiable date of birth.

This depends on your API Failure Behavior setting. In "fail open" mode (the default), visitors are allowed through unverified. In "fail closed" mode, visitors are redirected to an error page until credits reset or you purchase additional credits. Verifications already in progress are allowed to complete. You can purchase credit packs at any time from xyzinc.com/credits — your first purchase includes 300 bonus credits. European site operators with regulatory compliance obligations typically need "fail closed."

The plugin uses Cloudflare's CF-IPCountry and CF-Region-Code headers to determine visitor location for region-specific verification rules. These headers are added automatically when your site is proxied through Cloudflare. A free Cloudflare plan provides these headers.

The behavior is controlled by the API Failure Behavior setting on the Age Verification settings page. "Fail open" (the default) allows visitors through unverified to prevent your site from going offline. "Fail closed" redirects visitors to an error page. Sites with compliance obligations should generally use "fail closed."

The MU plugin (xyz-age-gate-redirect.php) runs early in the WordPress loading process, before most plugins. It checks Cloudflare geo headers and the verification cookie on every request, redirecting unverified visitors to the age gate page. This early execution is essential for the gate to work reliably and to prevent unverified visitors from briefly seeing protected content.

No. WP Rocket's page cache serves static HTML files via its advanced-cache.php drop-in, which executes before must-use plugins load. This means WP Rocket can serve cached pages to unverified visitors, bypassing the gate entirely. WP Rocket does not currently offer a way to conditionally cache based on cookie presence. Other page cache plugins that respect the standard WordPress loading order are compatible — just exclude /age-gate/ from caching. Confirmed compatible: WP Super Cache (Simple mode only), Jetpack Boost, and W3 Total Cache.

The verification cookie is cryptographically signed using HMAC-SHA256. Setting a fake cookie value will not pass signature verification. The verification logic runs at the must-use plugin level before any plugin-level code that could be tampered with via WordPress filters or hooks.

No. The /wp-admin/ area and the login page are always exempted. All logged-in WordPress users are automatically bypassed at the redirect level, so administrators, editors, and other authenticated users will not encounter the gate while browsing the site.

The gate runs at the must-use plugin level, which executes before WordPress loads user roles. At this stage the plugin can detect that a visitor is logged in but cannot distinguish between an administrator and a regular member. As a result, all logged-in WordPress users bypass the gate, not just administrators. For most sites this is not an issue — anonymous visitors are verified before they can register or log in, so members have already passed verification. However, if your site requires re-verification for content that logged-in members can also access (e.g., tiered content where some sections require re-verification), this plugin alone is not a fit for that use case. Plan your registration flow with this behavior in mind. If you need tighter integration with membership levels — for example, requiring different verification tiers for different membership levels, or protecting media files based on membership — XYZ Protect integrates directly with MemberPress and Paid Memberships Pro to provide membership-aware authorization. It is a separate licensed plugin available at xyzinc.com.

The Cookie Signing Key is an HMAC-SHA256 secret used to cryptographically sign verification cookies. This prevents visitors from forging a verification cookie. The key is generated per-site by the XYZ API. Click "Fetch from API" on the settings page to set it up automatically.

The settings page includes a Setup Checklist that shows green checkmarks for completed steps and red Xs for missing items. There is also an API Status indicator that tests the connection to the XYZ verification API. Click the Help tab at the top-right of the settings page for a full setup guide and troubleshooting tips.

Enable Test Mode in Settings > Age Verification. Once enabled, anyone can add a ?reg= query string parameter to any page URL to simulate a visitor from that region. For example, ?reg=US-TX simulates a visitor from Texas, USA, and ?reg=DE simulates a visitor from Germany. Test mode bypasses both the verification cookie and the logged-in user exemption, so you experience the full verification flow. This works in incognito/private browsing windows without a WordPress login, which is the most common way to test as an anonymous visitor. Remember to disable test mode when you are finished — a persistent admin notice will remind you.

No. The gate applies to WordPress pages and posts — it does not restrict direct access to media files served from /wp-content/uploads/. If a visitor knows or guesses the direct URL to an uploaded file, they can access it without verification. This is a limitation of the WordPress architecture: media files are served directly by the web server (Apache/Nginx) and do not pass through WordPress's PHP execution. Protecting uploaded files requires server-level configuration beyond what a free WordPress plugin can provide. For full media file protection alongside age verification — covering images, videos, PDFs, and audio in /wp-content/uploads/ — see XYZ Protect at xyzinc.com. XYZ Protect adds a Cloudflare Worker layer that authorizes every media request before serving the file.

Each region can have its own minimum age threshold (default is 18). For regions with a minimum age above 18, the plugin automatically requires Tier 2 verification (government ID) because Tier 1 (face liveness) can only assess minor probability, not exact age. The ID document is needed to extract the date of birth for precise age calculation.