Interstitial consent gate eliminates passive bot session creation. Visitor IP now passed to API for per-IP rate limiting. Recommended for all users, especially high-traffic sites.<\/p>","2.4.2":"
MU plugin cookie handling optimization and improved phpcs annotations.<\/p>","2.4.1":"
Security and compliance improvements for WordPress.org review. Free Plan Admin now uses WP REST API. MU plugin redirect URLs are HMAC-verified. Recommended for all users.<\/p>","2.3.0":"
New free plan with 100 monthly credits, built-in region management, configurable fail behavior, and detailed verification history. Recommended for all users.<\/p>","2.2.0":"
Security improvements including signed cookies, test mode, and setup checklist. Recommended for all users.<\/p>","2.1.0":"
Critical security fix \u2014 removes region parameter override vulnerability. Update immediately.<\/p>"},"ratings":[],"assets_icons":{"icon-128x128.png":{"filename":"icon-128x128.png","revision":3482278,"resolution":"128x128","location":"assets","locale":""},"icon-256x256.png":{"filename":"icon-256x256.png","revision":3482278,"resolution":"256x256","location":"assets","locale":""}},"assets_banners":{"banner-772x250.png":{"filename":"banner-772x250.png","revision":3482278,"resolution":"772x250","location":"assets","locale":""}},"assets_blueprints":{},"all_blocks":[],"tagged_versions":["2.4.2","2.5.0","2.5.1"],"block_files":[],"assets_screenshots":{"screenshot-1.png":{"filename":"screenshot-1.png","revision":3482278,"resolution":"1","location":"assets","locale":""},"screenshot-2.png":{"filename":"screenshot-2.png","revision":3482278,"resolution":"2","location":"assets","locale":""},"screenshot-3.png":{"filename":"screenshot-3.png","revision":3482278,"resolution":"3","location":"assets","locale":""},"screenshot-4.png":{"filename":"screenshot-4.png","revision":3482278,"resolution":"4","location":"assets","locale":""},"screenshot-5.png":{"filename":"screenshot-5.png","revision":3482278,"resolution":"5","location":"assets","locale":""},"screenshot-6.png":{"filename":"screenshot-6.png","revision":3482278,"resolution":"6","location":"assets","locale":""}},"screenshots":{"1":"Settings page with setup checklist and API health check","2":"Age gate page with QR code and verification options","3":"Free Plan Admin \u2014 region management with minimum age","4":"Free Plan Admin \u2014 recent verifications with detailed attempt history","5":"Plan status showing credit usage and remaining balance","6":"Test mode in action \u2014 simulating a region with ?reg= parameter"},"jetpack_post_was_ever_published":false},"plugin_section":[],"plugin_tags":[20012,167282,70877,5616,257722],"plugin_category":[],"plugin_contributors":[257723],"plugin_business_model":[],"class_list":["post-286954","plugin","type-plugin","status-publish","hentry","plugin_tags-adult-content","plugin_tags-age-check","plugin_tags-age-gate","plugin_tags-age-verification","plugin_tags-liveness-detection","plugin_contributors-xyzageverify","plugin_committers-xyzageverify"],"banners":{"banner":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/banner-772x250.png?rev=3482278","banner_2x":false,"banner_rtl":false,"banner_2x_rtl":false},"icons":{"svg":false,"icon":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/icon-128x128.png?rev=3482278","icon_2x":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/icon-256x256.png?rev=3482278","generated":false},"screenshots":[{"src":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/screenshot-1.png?rev=3482278","caption":"Settings page with setup checklist and API health check"},{"src":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/screenshot-2.png?rev=3482278","caption":"Age gate page with QR code and verification options"},{"src":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/screenshot-3.png?rev=3482278","caption":"Free Plan Admin \u2014 region management with minimum age"},{"src":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/screenshot-4.png?rev=3482278","caption":"Free Plan Admin \u2014 recent verifications with detailed attempt history"},{"src":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/screenshot-5.png?rev=3482278","caption":"Plan status showing credit usage and remaining balance"},{"src":"https:\/\/ps.w.org\/xyz-age-verification-free\/assets\/screenshot-6.png?rev=3482278","caption":"Test mode in action \u2014 simulating a region with ?reg= parameter"}],"raw_content":"\n
XYZ Age Verification provides real age verification for WordPress sites that need to comply with age-gating regulations. Unlike simple \"click to confirm\" plugins, XYZ uses biometric liveness detection and optional government ID verification to confirm that a visitor is not a minor.<\/p>\n\n
How it works:<\/strong><\/p>\n\n Key features:<\/strong><\/p>\n\n Free plan included:<\/strong><\/p>\n\n This plugin includes a free plan with 100 verification credits per month \u2014 no credit card required. Register directly from the plugin settings page with just your email address. Credits reset monthly and do not roll over. Additional credit packs are available for sites that need more capacity.<\/p>\n\n Requirements:<\/strong><\/p>\n\n External service \u2014 XYZ Age Verification API:<\/strong><\/p>\n\n This plugin connects to the XYZ Age Verification API at When a visitor triggers age verification, the plugin sends the visitor's country and state codes (derived from Cloudflare headers) to the API to create a verification session. The visitor then interacts directly with the verification UI hosted by the service. No biometric data passes through your WordPress server. The plugin polls the API for session status and receives only a pass\/fail result.<\/p>\n\n The following enhancements are planned for future releases:<\/p>\n\n Currently the age gate applies to your entire site based on visitor region. A future release of the Pro plugin will add a restricted paths<\/strong> mode, allowing site owners to age-gate only specific URL paths (e.g., Credit packs will be available for purchase via PayPal for sites that need more capacity. Purchased credits will be added to a prepaid balance that persists until used \u2014 they will not expire or reset monthly. Multiple packs can be stacked.<\/p>\n\n We are investigating methods to extend age gate protection to files served from This plugin includes the following third-party library:<\/p>\n\n No build tools are required. The library is included as-is from the upstream repository with a minor CSS modification (image display style changed from \"block\" to \"inline-block\" for QR code placement). The unminified source is included in the plugin for review.<\/p>\n\n\n Yes. The plugin itself is completely free and open source. It connects to the XYZ Age Verification API, which includes a free plan with 100 verification credits per month. One credit is consumed per face liveness attempt, and two credits per document verification attempt. Additional monthly credit packs are available for sites that need more capacity.<\/p><\/dd>\n Credits represent verification attempts. Each face liveness check (Tier 1) costs 1 credit. Each document verification attempt (Tier 2) costs 2 credits. Your free plan includes 100 credits per month, which resets on the first of each month. Unused credits do not roll over.<\/p><\/dd>\n This depends on your API Failure Behavior<\/strong> setting. In \"fail open\" mode (the default), visitors are allowed through unverified. In \"fail closed\" mode, visitors are redirected to an error page until credits reset or you purchase additional credits. Verifications that are already in progress when the limit is reached are allowed to complete.<\/p><\/dd>\n The plugin uses Cloudflare's The behavior is controlled by the API Failure Behavior<\/strong> setting on the Age Verification settings page. \"Fail open\" (the default) allows visitors through unverified to prevent your site from going offline. \"Fail closed\" redirects visitors to an error page. European site operators may need \"fail closed\" for regulatory compliance.<\/p><\/dd>\n The MU plugin ( No.<\/strong> WP Rocket's page cache serves static HTML files via its The verification cookie is cryptographically signed using HMAC-SHA256. Setting a fake cookie value will not pass signature verification.<\/p><\/dd>\n Only the verification result (pass\/fail), session metadata, a timestamp, and the visitor's IP address (for fraud detection) are retained. Biometric data (face images, liveness frames) is processed in real-time and discarded immediately. No government ID content is stored \u2014 date of birth is used transiently for age calculation and then discarded. Full details can be found in the Privacy Policy<\/a>.<\/p><\/dd>\n No. The The age gate redirect runs at the must-use plugin level, which executes before WordPress loads user roles. At this stage the plugin can detect that a visitor is logged in, but cannot distinguish between an administrator and a regular member. As a result, all logged-in WordPress users bypass the age gate<\/strong>, not just administrators.<\/p>\n\n For most sites this is not an issue \u2014 anonymous visitors are verified before they can register or log in, so members have already passed verification. However, if your site requires age verification for content that logged-in members can also access (e.g., tiered content where some sections require re-verification), this plugin is not a fit for that use case. Plan your registration flow with this behavior in mind.<\/p><\/dd>\n\n
\n
\n
CF-IPCountry<\/code> and CF-Region-Code<\/code>)<\/li>\nhttps:\/\/age-verify.xyzinc.com<\/code>, operated by XY Zinc (a brand of Chaos Unlimited LLC), to perform biometric liveness detection and government ID document verification. The plugin cannot function without this service \u2014 it is the core verification engine.<\/p>\n\n\n
Planned Features<\/h3>\n\n
Restricted path mode (Pro)<\/h4>\n\n
\/mature\/<\/code>, \/adult-content\/<\/code>) while leaving the rest of the site accessible without verification. This is ideal for sites that contain a mix of general and age-restricted content \u2014 such as sexuality education sites, media outlets with adult sections, or e-commerce stores with age-restricted product categories.<\/p>\n\nAdditional credit packs<\/h4>\n\n
Media file protection<\/h4>\n\n
\/wp-content\/uploads\/<\/code>. Because media files are served directly by the web server and do not pass through WordPress PHP execution, this requires server-level solutions (e.g., Nginx\/Apache rewrite rules, signed URLs, or a PHP-based file proxy). A future release will provide guidance and\/or built-in support for common hosting configurations.<\/p>\n\nThird-Party Libraries<\/h3>\n\n
\n
\n
assets\/js\/qrcode.js<\/code> (unminified source), assets\/js\/qrcode.min.js<\/code> (minified)<\/li>\n<\/ul><\/li>\n<\/ul>\n\n\n
xyz-age-verification-free<\/code> folder to \/wp-content\/plugins\/<\/code>.<\/li>\nage-gate<\/code> and add the [xyzav_age_verify]<\/code> shortcode to its content.<\/li>\nmu-plugin\/xyz-age-gate-redirect.php<\/code> from the plugin folder to \/wp-content\/mu-plugins\/<\/code>. Create the mu-plugins<\/code> directory if it does not exist.<\/li>\n\/age-gate\/<\/code> from caching. Note: WP Rocket is not compatible<\/strong> (see FAQ).<\/li>\n\n
Is this plugin free?<\/h3><\/dt>\n
What are verification credits?<\/h3><\/dt>\n
What happens when my credits run out?<\/h3><\/dt>\n
Why does this plugin require Cloudflare?<\/h3><\/dt>\n
CF-IPCountry<\/code> and CF-Region-Code<\/code> headers to determine visitor location for region-specific age verification rules. These headers are added automatically when your site is proxied through Cloudflare. A free Cloudflare plan provides these headers.<\/p><\/dd>\nWhat happens if the API is unreachable?<\/h3><\/dt>\n
What is the must-use plugin for?<\/h3><\/dt>\n
xyz-age-gate-redirect.php<\/code>) runs early in the WordPress loading process, before most plugins. It checks Cloudflare geo headers and the verification cookie on every request, redirecting unverified visitors to the age gate page. This early execution is essential for the age gate to work reliably.<\/p><\/dd>\nIs this plugin compatible with WP Rocket?<\/h3><\/dt>\n
advanced-cache.php<\/code> drop-in, which executes before must-use plugins load. This means WP Rocket can serve cached pages to unverified visitors, bypassing the age gate entirely. WP Rocket does not currently offer a way to conditionally cache based on cookie presence. Other page cache plugins that respect the standard WordPress loading order are compatible \u2014 just exclude \/age-gate\/<\/code> from caching.<\/p><\/dd>\nCan visitors bypass the age gate with browser dev tools?<\/h3><\/dt>\n
What data is collected during verification?<\/h3><\/dt>\n
Will the age gate block me from my own WordPress admin?<\/h3><\/dt>\n
\/wp-admin\/<\/code> area and the login page are always exempted from the age gate. Additionally, all logged-in WordPress users are automatically bypassed at the redirect level, so administrators, editors, and other authenticated users will not encounter the age gate while browsing the site.<\/p><\/dd>\nHow does this work with membership or subscriber sites?<\/h3><\/dt>\n