XYZ Age Verification

Most WordPress age verification plugins are age gates — a popup that asks visitors to click “Yes, I’m 18+” or pick a birthday from a dropdown. Anyone, including a minor, can click through in under a second. That used to be the standard. It is no longer a defensible compliance measure under the UK Online Safety Act, US state age verification laws (Texas, Louisiana, Virginia, and a growing list), or EU age assurance requirements under the Digital Services Act.

XYZ Age Verification is different. It confirms visitors are adults using a real-time selfie liveness check, with automatic escalation to government ID verification for borderline cases or stricter age thresholds. No biometric data is stored. No checkbox to lie to. No date-of-birth dropdown that a child can spin in five seconds.

When you need this plugin:

• UK sites subject to the Online Safety Act and OFCOM enforcement
• US sites subject to state-level age verification laws (Texas, Louisiana, Virginia, Utah, and a growing list)
• EU sites subject to age assurance requirements under the Digital Services Act
• Adult content, cannabis, alcohol, tobacco, firearms, and gambling sites where a click-through popup is no longer sufficient
• Any site where “the visitor clicked Yes” is insufficient evidence that your audience is adult-only

Important — Cloudflare is required:

This plugin requires that your site is proxied through Cloudflare’s network. This is not an optional integration. Without Cloudflare, the plugin cannot determine where visitors are connecting from, and it will not work.

Setting up Cloudflare involves changing your domain’s DNS settings to point at Cloudflare’s nameservers. This is a real infrastructure change with real consequences:

• Your email may stop working if you don’t carefully preserve your existing MX, SPF, DKIM, and DMARC records during the migration.
• Other services that depend on DNS (subdomains, third-party integrations, SSL certificates) may need attention.
• Reverting the change takes 24-48 hours for DNS propagation, so mistakes are not immediately undoable.

If you do not have experience with DNS migration, or if your site’s email and DNS are managed by someone else, please read these guides before installing the plugin:

• Why XYZ Age Verification requires Cloudflare — explains what the plugin needs from Cloudflare and why no alternative works
• Cloudflare setup guide — step-by-step migration, with email preservation as the explicit focus

This plugin is not a fit for site owners who are not prepared to manage their own DNS. If your site is hosted on a fully-managed platform where DNS is controlled by the host, or if the prospect of changing nameservers is unfamiliar, consider hiring help for the Cloudflare migration before installing. Alternatively, simpler self-declaration age gate plugins may better match your operational comfort level — they are not real verification, but they also do not require infrastructure changes.

Why XYZ Age Verification:

• Real verification, not self-declaration — Biometric liveness detection (iBeta Level 2 certified) plus optional government ID verification
• Privacy by design — Biometric data is processed in real time and discarded immediately. Nothing is stored. No central database of faces or IDs
• Smart escalation — Most adult visitors complete verification with a quick selfie. Only borderline cases are asked for ID, minimizing friction
• Region-specific rules — Apply verification only where you need it, using Cloudflare’s geo detection. Configure different thresholds per country or US state
• Free plan included — 100 verifications per month, no credit card required. Sign up directly from the plugin settings page
• Cryptographically signed cookies — Visitors can’t bypass the gate with browser dev tools

Free plan included:

This plugin includes a free plan with 100 verification credits per month — no credit card required. Register directly from the plugin settings page with just your email. Credits reset monthly. Additional credit packs are available via PayPal for sites that need more capacity; your first purchase includes 300 bonus credits and switches your site to prepaid billing (credits do not expire or reset monthly).

How it works:

1. Visitors from configured regions are redirected to an age verification page.
2. They complete a face liveness check (Tier 1) or liveness plus government ID verification (Tier 2). Tier 1 produces a binary adult/not-adult result — it does not estimate age.
3. If the liveness check indicates the visitor may be a minor, the system automatically escalates to government ID verification. For age thresholds other than 18 (e.g., 21+ for alcohol or cannabis), Tier 2 is required because only an ID document provides a verifiable date of birth.
4. Upon a successful verification, a cryptographically signed cookie is set and the visitor is granted access.
5. All biometric data, selfies, and document images are discarded immediately after the verification completes — regardless of the result.

Requirements:

• An XYZ Age Verification API key (register for a free plan directly from the plugin settings, or sign up at xyzinc.com)
• Cloudflare proxying — your domain’s DNS must be managed through Cloudflare’s network. A free Cloudflare plan provides everything the plugin needs (the geo detection headers CF-IPCountry and CF-Region-Code). See the “Cloudflare is required” section above for the implications of changing your DNS.
• HTTPS enabled

External service — XYZ Age Verification API:

This plugin connects to the XYZ Age Verification API at https://age-verify.xyzinc.com, operated by XY Zinc (a brand of Chaos Unlimited LLC), to perform biometric liveness detection and government ID document verification. The plugin cannot function without this service — it is the core verification engine.

When a visitor triggers verification, the plugin sends the visitor’s country and state codes (derived from Cloudflare headers) to the API to create a verification session. The visitor then interacts directly with the verification UI hosted by the service. No biometric data passes through your WordPress server. The plugin polls the API for session status and receives only a pass/fail result.

• Terms of Use
• Privacy Policy
• Service information

Complete feature list:

• Two-tier verification: face liveness check, or liveness plus government ID
• Region-specific rules with Cloudflare geo detection
• Configurable minimum age per region (Tier 2 automatically enforced for thresholds above 18)
• Exempt paths — leave specific URLs (homepage, privacy policy, registration, etc.) accessible to all visitors even from gated regions
• QR code for mobile phone verification
• Popup or same-device verification options
• Real-time session status polling
• Configurable bypass cookies for pre-verified users
• Configurable fail-open or fail-closed behavior for API outages and credit exhaustion
• Cryptographically signed verification cookies (HMAC-SHA256)
• Server-side API key handling (never exposed to the browser)
• Logged-in WordPress users automatically bypass the age gate
• Built-in admin: manage regions, thresholds, and view verification history
• Setup checklist and API health check on the settings page
• Admin notices for common misconfigurations
• Contextual help tabs with setup guide and troubleshooting
• Compatible with standard WordPress page caches (not compatible with WP Rocket — see FAQ)

Planned Features

Media file protection — available now in XYZ Protect

Media files in /wp-content/uploads/ are served directly by your web server and do not pass through WordPress PHP execution, so a free WordPress plugin cannot restrict them. XYZ Protect is a separate licensed plugin that solves this problem using a Cloudflare Worker — every media request is authorized before the file is served. XYZ Protect can be combined with this plugin for sites that need both page gating and file-level protection.

Restricted path mode (planned)

The current model gates the entire site for visitors from configured regions, with the new Exempt Paths feature (2.5.4) allowing specific URLs to bypass the gate. A future release will add the inverse model — restricted paths — where the gate applies only to specific URL paths (e.g., /mature/, /adult-content/) and the rest of the site is accessible without verification.

• Exempt paths (current) is the right model for sites that are mostly age-restricted with a few accessible pages (homepage, privacy policy, registration).
• Restricted paths (planned) is the right model for sites that are mostly accessible with a small age-restricted section — for example, sexuality education sites, media outlets with adult sections, or e-commerce stores with age-restricted product categories.

Additional credit packs (available now)

Credit packs are available for purchase via PayPal at xyzinc.com/credits. Purchased credits persist until used — they do not expire or reset monthly. Multiple packs can be stacked. Your first purchase includes a bonus of 300 credits and switches your site to prepaid billing, replacing the monthly free credit allocation.

Third-Party Libraries

This plugin includes the following third-party library:

• QRCode.js — Client-side QR code generation
  • Source: https://github.com/davidshimjs/qrcodejs
  • License: MIT
  • Files: assets/js/qrcode.js (unminified source), assets/js/qrcode.min.js (minified)

No build tools are required. The library is included as-is from the upstream repository with a minor CSS modification (image display style changed from “block” to “inline-block” for QR code placement). The unminified source is included for review.