2- Cloudflare Setup

XYZ_Admin

Cloudflare Setup for XYZ Age Verification

The XYZ Age Verification plugin requires Cloudflare to detect visitor locations. This guide walks through setting up Cloudflare if your site isn't already proxied through it.

Why Cloudflare Is Required

The plugin uses two HTTP headers that Cloudflare adds to every request:

CF-IPCountry — the visitor's country code (e.g., US, DE, GB)
CF-Region-Code — the visitor's state or province code (e.g., TX, CA, BY)

These headers are how the plugin knows which region a visitor is from and whether they need to be age-verified. Without Cloudflare, the plugin has no way to determine visitor location and the age gate will not activate.

Cloudflare Free Plan Is Sufficient

You do not need a paid Cloudflare plan. The free plan includes:

DNS proxying with geo headers
HTTPS with universal SSL certificates
Basic DDoS protection
CDN caching

The geo headers used by the plugin are available on all Cloudflare plans, including the free tier.

Setting Up Cloudflare

Step 1: Create a Cloudflare Account

Go to cloudflare.com and sign up.
Click Add a Site and enter your domain name.
Select the Free plan.

Step 2: Update Your DNS Records

Cloudflare will scan your existing DNS records. Review them and make sure:

Your A record pointing to your server IP is present
The proxy status (orange cloud icon) is Proxied, not DNS-only

If the cloud icon is gray ("DNS only"), click it to toggle to orange ("Proxied"). The proxy must be enabled for Cloudflare to add the geo headers.

Step 3: Change Your Nameservers

Cloudflare will provide you with two nameservers. Update your domain registrar to use these nameservers. This usually takes effect within a few hours but can take up to 48 hours.

Step 4: Configure SSL/TLS

In your Cloudflare dashboard:

Go to SSL/TLS > Overview.
Set the mode to Full (strict) if your server has a valid SSL certificate, or Full if it has a self-signed certificate.
Do NOT use "Flexible" — this can cause redirect loops with WordPress.

Step 5: Verify the Headers

After DNS propagation completes, verify the headers are working:

curl -sI https://yoursite.com | grep -i cf-

You should see headers like:

cf-cache-status: DYNAMIC
cf-ray: abc123-ORD

To verify geo headers specifically, check from within WordPress. The plugin's setup checklist will show whether it can detect Cloudflare headers.

Step 6: Add visitor location headers

Follow the instructions on this page to enable Cloudflare's visitor location headers managed transform

https://developers.cloudflare.com/rules/transform/managed-transforms/configure/

Common Issues

"DNS only" Instead of "Proxied"

If your DNS record shows a gray cloud, Cloudflare is only providing DNS resolution — not proxying traffic. The geo headers will not be present. Toggle the record to "Proxied" (orange cloud).

Cloudflare Behind a CDN or Load Balancer

If you have another CDN or proxy in front of Cloudflare, the geo headers may be stripped. Cloudflare should be the outermost proxy for the headers to reach your WordPress server.

Subdomain Not Proxied

Each subdomain needs its own DNS record with proxy enabled. If your WordPress site is on a subdomain (e.g., blog.yoursite.com), make sure that specific subdomain has a proxied A or CNAME record.

IP Geolocation Accuracy

Cloudflare determines location based on the IP address of the visitor. In rare cases (VPNs, corporate proxies), the detected location may not match the visitor's actual location. This is a known limitation of IP-based geolocation and applies to all geo-detection systems.

WordPress-Specific Cloudflare Settings

Page Rules (Optional)

If you want to exclude specific paths from Cloudflare's cache but still keep proxying active, use Page Rules:

yoursite.com/wp-admin/* — Cache Level: Bypass
yoursite.com/age-gate/* — Cache Level: Bypass

Cloudflare Plugin for WordPress

The Cloudflare WordPress plugin is optional but can help with:

Automatic cache purging when you update content
Restoring the real visitor IP address in WordPress logs
One-click optimizations

It is not required for the age verification plugin to work.

Next Steps

If you want to ensure that search engine bots and well-behaved crawlers are able to bypass the age gate follow the instructions in Setting the Cloudflare Bot Header

Once Cloudflare is active and proxying your site, return to the Installation Guide to complete the plugin setup.