XYZ Age Verification

Yes. The plugin itself is completely free and open source. It connects to the XYZ Age Verification API, which includes a free plan with 100 verification credits per month. One credit is consumed per face liveness attempt, and two credits per document verification attempt. Additional monthly credit packs are available for sites that need more capacity.

Credits represent verification attempts. Each face liveness check (Tier 1) costs 1 credit. Each document verification attempt (Tier 2) costs 2 credits. Your free plan includes 100 credits per month, which resets on the first of each month. Unused credits do not roll over.

This depends on your API Failure Behavior setting. In "fail open" mode (the default), visitors are allowed through unverified. In "fail closed" mode, visitors are redirected to an error page until credits reset or you purchase additional credits. Verifications that are already in progress when the limit is reached are allowed to complete.

The plugin uses Cloudflare's CF-IPCountry and CF-Region-Code headers to determine visitor location for region-specific age verification rules. These headers are added automatically when your site is proxied through Cloudflare. A free Cloudflare plan provides these headers.

The behavior is controlled by the API Failure Behavior setting on the Age Verification settings page. "Fail open" (the default) allows visitors through unverified to prevent your site from going offline. "Fail closed" redirects visitors to an error page. European site operators may need "fail closed" for regulatory compliance.

The MU plugin (xyz-age-gate-redirect.php) runs early in the WordPress loading process, before most plugins. It checks Cloudflare geo headers and the verification cookie on every request, redirecting unverified visitors to the age gate page. This early execution is essential for the age gate to work reliably.

No. WP Rocket's page cache serves static HTML files via its advanced-cache.php drop-in, which executes before must-use plugins load. This means WP Rocket can serve cached pages to unverified visitors, bypassing the age gate entirely. WP Rocket does not currently offer a way to conditionally cache based on cookie presence. Other page cache plugins that respect the standard WordPress loading order are compatible — just exclude /age-gate/ from caching.

The verification cookie is cryptographically signed using HMAC-SHA256. Setting a fake cookie value will not pass signature verification.

Only the verification result (pass/fail), session metadata, a timestamp, and the visitor's IP address (for fraud detection) are retained. Biometric data (face images, liveness frames) is processed in real-time and discarded immediately. No government ID content is stored — date of birth is used transiently for age calculation and then discarded. Full details can be found in the Privacy Policy.

No. The /wp-admin/ area and the login page are always exempted from the age gate. Additionally, all logged-in WordPress users are automatically bypassed at the redirect level, so administrators, editors, and other authenticated users will not encounter the age gate while browsing the site.

The age gate redirect runs at the must-use plugin level, which executes before WordPress loads user roles. At this stage the plugin can detect that a visitor is logged in, but cannot distinguish between an administrator and a regular member. As a result, all logged-in WordPress users bypass the age gate, not just administrators. For most sites this is not an issue — anonymous visitors are verified before they can register or log in, so members have already passed verification. However, if your site requires age verification for content that logged-in members can also access (e.g., tiered content where some sections require re-verification), this plugin is not a fit for that use case. Plan your registration flow with this behavior in mind.

The Cookie Signing Key is an HMAC-SHA256 secret used to cryptographically sign verification cookies. This prevents visitors from forging a verification cookie with browser dev tools. The key is generated per-site by the XYZ API. Click "Fetch from API" on the settings page to set it up automatically.

The settings page includes a Setup Checklist that shows green checkmarks for completed steps and red Xs for missing items. There is also an API Status indicator that tests the connection to the XYZ verification API. Click the Help tab at the top-right of the settings page for a full setup guide and troubleshooting tips.

Enable Test Mode in Settings > Age Verification. Once enabled, anyone can add a ?reg= query string parameter to any page URL to simulate a visitor from that region. For example, ?reg=US-TX simulates a visitor from Texas, USA, and ?reg=DE simulates a visitor from Germany. Test mode bypasses both the verification cookie and the logged-in user exemption so you experience the full age gate flow. This works in incognito/private browsing windows without a WordPress login, which is the most common way to test as an anonymous visitor. Remember to disable test mode when testing is complete — a persistent admin notice will remind you.

Each region can have its own minimum age threshold (default is 18). For regions with a minimum age other than 18, the plugin automatically requires Tier 2 verification (government ID) because Tier 1 (face liveness) can only assess minor probability, not exact age. The ID document is needed to extract the date of birth for precise age calculation.