Title: Borderage Core Author: brekam Published: मार्च 18, 2026 Last modified: मार्च 18, 2026 --- Search plugins ![](https://ps.w.org/borderage-core/assets/icon.svg?rev=3485986) # Borderage Core By [brekam](https://profiles.wordpress.org/brekam/) [Download](https://downloads.wordpress.org/plugin/borderage-core.zip) * [Details](https://mai.wordpress.org/plugins/borderage-core/#description) * [Reviews](https://mai.wordpress.org/plugins/borderage-core/#reviews) * [Installation](https://mai.wordpress.org/plugins/borderage-core/#installation) * [Development](https://mai.wordpress.org/plugins/borderage-core/#developers) [Support](https://wordpress.org/support/plugin/borderage-core/) ## Description Borderage Core protects your WordPress site by requiring age verification for visitors. Unlike traditional ID-based systems, BorderAge uses **hand gesture recognition**– no selfie, no ID document required. **Features:** * Protect entire site or specific pages * Hand gesture verification (no facial recognition) * Visitor account system for returning users * Unified login form (WordPress account first, then visitor account fallback) * Credit alert system – Automatic email notifications when credits run low * Rate limiting – Prevent brute force verification attempts * Login brute-force protection – Rate limiting on account login attempts * Health logging system – 24-hour internal monitoring with export * Statistics dashboard – View verification metrics (total, adults, minors) * Customizable verification page styling * Multi-language support (EN, FR, DE, ES) * Developer tools – Testing utilities and data reset * Debug mode with logging and export functionality **Requirements:** * BorderAge API credentials (site_id and site_secret_key) * Credits for new verifications (existing verified users can still access) * Pretty permalinks enabled in WordPress Settings For more information, visit [borderage.com](https://borderage.com/) or contact us at [contact@needemand.com](https://mai.wordpress.org/plugins/borderage-core/contact@needemand.com?output_format=md) ### Admin Pages Borderage Core provides 8 configuration tabs accessible via **BorderAge** in the WordPress admin menu: Tab Description Purpose Configuration API credentials and basic settings Enter your site_id, secret_key, enable/disable plugin, set debug mode Protection Protection mode and protected pages Choose to protect all pages or specific pages, configure rate limiting Appearance Form styling customization Customize verification page colors, button styles, and layout Statistics Verification metrics dashboard View total verifications, adult/minor breakdown, monthly statistics Guide User documentation Complete usage guide and setup instructions Developers API documentation Technical reference for developers integrating with BorderAge Debug Health logs viewer View system health logs, export debug information Dev Tools Testing utilities Reset visitor data, clear logs, testing functions ( debug mode only) **Navigation:** Click on the “Borderage” menu item in WordPress admin to access all tabs. Each tab provides a specific set of configuration options and tools. ### External Services This plugin connects to the **BorderAge API** at `pool.borderage.com` for age verification services. #### When data is transmitted 1. **During age verification** – When a visitor clicks “Verify now” 2. **Credit balance check** – When admin pages load to display remaining credits 3. **Statistics retrieval** – When the Statistics dashboard loads to display verification metrics 4. **Health logging** – Internal monitoring events (not transmitted to external API) #### Data transmitted Data Description Purpose site_id Your site identifier Identify your site user_id SHA256 hashed visitor ID Pseudonymized visitor tracking age Age threshold Verification requirement hash Security signature Request validation is_over_age Boolean (true/false) Age verification result result_hash Callback validation hash Verify callback authenticity reference_id Attempt reference for rate limiting Track verification attempts **Hash Generation:** * Credits check: `hash('sha256', timestamp . site_id . secret_key)` * Callback verification: `hash('sha1', result . user_id . age . secret_key)` **Privacy note:** This plugin and the BorderAge API store only pseudonymized data: a hashed visitor ID and a boolean indicating whether the age threshold was met. ** Zero Personally Identifiable Information (PII)** is stored or transmitted – no names, emails. Unlike competitors, BorderAge uses **no biometric fingerprinting**, **no selfies**, and **no ID documents**. This eliminates any risk of personal data leaks, as such data simply doesn’t exist in our system. For more details about BorderAge’s technology and privacy-first approach, visit [https://borderage.com/technology/](https://borderage.com/technology/) #### Service links * **Privacy Policy:** [https://borderage.com/politique-confidentialite/](https://borderage.com/politique-confidentialite/) * **Technology information:** [https://borderage.com/technology/](https://borderage.com/technology/) * **Service website:** [https://borderage.com/](https://borderage.com/) **Terms of Service:** BorderAge’s Terms of Use are negotiated individually between each client and Needemand (creator of the BorderAge SaaS). Contracts are established on a case-by-case basis rather than using a generic public ToS. Please contact BorderAge to discuss your specific terms. ### Privacy Policy **Data processed by this plugin:** 1. **Visitor verification status** – Stored in browser cookies to remember verified visitors (expires after 24 hours) 2. **Visitor accounts** – Optional accounts for returning visitors (email, hashed password) 3. **Verification logs** – Records of verification callbacks for debugging (24-hour retention) 4. **Health logs** – Internal system monitoring logs (24-hour retention, JSON format) **Data sent to the external BorderAge API:** Only pseudonymized data is transmitted and stored: a hashed visitor ID (SHA256) and a boolean indicating whether the age verification was successful (is_over_age: true/false). Additional metadata includes site_id, age threshold, and security hashes for validation. **What makes BorderAge different:** * **Zero PII storage** – Neither this plugin nor the BorderAge API store any Personally Identifiable Information * **No biometric fingerprint** – No biometric data is collected, stored, or transmitted * **No data leak risk** – Impossible to leak personal data that doesn’t exist * **Privacy by design** – Hand gesture verification without selfies, ID documents, or facial recognition * **Rate limiting protection** – Prevents brute force verification attempts * **Automatic cleanup** – Verification tokens and logs expire after 24 hours For complete privacy information, see the [BorderAge Privacy Policy](https://borderage.com/politique-confidentialite/). ## Installation 1. Upload the `borderage-core` folder to `/wp-content/plugins/` 2. Activate the plugin through the ‘Plugins’ menu in WordPress 3. **Important:** Ensure **Pretty Permalinks** are enabled in **Settings > Permalinks**( required for verification callback) 4. Go to **BorderAge > Configuration** to enter your API credentials (site_id and site_secret_key) 5. Navigate to **BorderAge > Protection** to enable protection and configure protected pages or entire site 6. Customize the verification page appearance in **BorderAge > Appearance** 7. Optionally configure credit alerts and rate limiting in **BorderAge > Protection** For detailed setup instructions, visit the **Guide** tab in the BorderAge admin menu. ## FAQ ### How do I get API credentials? Contact BorderAge at borderage@needemand.com or visit [borderage.com](https://borderage.com/) to obtain your site_id and site_secret_key. ### What happens when credits run out? Already-verified visitors (with valid cookies) can still access protected pages. New visitors will see the verification page but won’t be able to complete verification until credits are replenished. You can configure automatic email alerts in the Protection tab to notify you when credits fall below a threshold (default: 100). ### Is facial recognition used? No. BorderAge uses hand gesture recognition only. Visitors wave their hand to verify their age – no selfie, no ID document, no facial data. ### Does this guarantee legal compliance? This plugin is a tool to assist with age verification. Compliance with applicable laws depends on your jurisdiction and implementation. Consult legal counsel for compliance advice. ### How does the security system work? BorderAge Core includes a multi-layer security system to protect against abuse: **Token-Based Protection:** 1. **Token Creation** – When a visitor starts verification, a unique one-time token is created in the database 2. **BorderAge Callback** – The API returns a callback URL. The plugin validates the token exists and hasn’t been used yet 3. **Token Consumption** – If valid, the token is marked as used and the visitor can create an account 4. **Expiration** – Tokens expire after 5 minutes or 24 hours (for cleanup) **Rate Limiting:** 1. **Attempt Tracking** – Each verification attempt generates a unique reference ID 2. **Configurable Limits** – Set max attempts (default: 1) and time window in hours( default: 24) 3. **Enforcement** – When limit is exceeded, visitors see a 429 error page 4. **Automatic Cleanup** – Old attempts are removed after the time window expires **Unified Login + Login Rate Limiting:** 1. **Single Login Form** – Visitors use one login form from the verification page 2. **Dual Authentication Order** – Plugin checks WordPress credentials first, then falls back to visitor account credentials 3. **Login Attempt Tracking** – Failed login attempts are rate-limited with anonymized references 4. **Privacy by Design** – No IP address is stored in the database for login rate limiting **Security Benefits:** * Prevents callback URL sharing and account fraud * One-time tokens eliminate reuse attempts * Rate limiting prevents brute force verification attempts * Hash verification ensures callback authenticity * Automatic cleanup prevents stale data * Transparent to users – seamless experience * GDPR/CNIL compliant – no IP addresses or personal data stored ### How do credit alerts work? The credit alert system automatically notifies you when your BorderAge credit balance falls below a configured threshold: * **Configuration:** Set alert threshold (default: 100 credits) in BorderAge > Protection * **Email Setup:** Enter your notification email address * **Enable/Disable:** Toggle credit alerts on or off * **Daily Checks:** A cron job checks your balance once per day * **Duplicate Prevention:** Only one alert sent per low-balance period * **Test Email:** Send a test email to verify your configuration This ensures you never run out of credits unexpectedly, keeping your age verification running smoothly. ### What is rate limiting? Rate limiting prevents brute force verification attempts by limiting the number of verification attempts a visitor can make within a configured time period: * **Default Settings:** 1 attempt per 24 hours * **Customizable:** Adjust max attempts and time window in Protection tab * **How it Works:** Each attempt is tracked by visitor. When limit is exceeded, a 429 error page is displayed * **Reference Tracking:** Unique reference IDs are generated for failed attempts * **Protection:** Prevents automated verification attempts and abuse The plugin also applies rate limiting to login attempts on the unified login form to reduce brute-force attacks. You can configure rate limits in BorderAge > Protection to match your security needs. ### How do I use developer tools? The Developer Tools tab (BorderAge > Dev Tools) provides testing utilities: * **Reset Visitor Data:** Clear all visitor accounts and verification cookies * **Reset Callback Logs:** Remove all verification callback records * **Clear Health Logs:** Delete internal health monitoring logs * **Debug Mode Only:** These tools are only available when debug mode is enabled **Caution:** These actions permanently delete data. Use with care in production environments. Always backup before resetting data. ### How do I debug verification issues? Enable Debug Mode in BorderAge > Configuration, then use these tools: * **Health Logs:** View in BorderAge > Debug tab – shows system events and errors * **Export Debug Info:** Download complete debug dump as JSON * **Developer Tools:** Reset testing data and clear logs in Dev Tools tab * **Callback Logs:** View verification callback attempts in database * **Health Log Export:** Export logs to CSV for analysis Log levels include: info, warning, error, api, callback, debug. Logs are retained for 24 hours automatically. ### What are the health logs? Health logs provide internal system monitoring for troubleshooting: * **Location:** Stored in protected JSON files with .htaccess * **Format:** JSON with timestamp, level, message, and context * **Log Levels:** info, warning, error, api, callback, debug * **Retention:** Automatically cleaned up after 24 hours * **Privacy:** Sensitive data is masked in logs * **Access:** View via BorderAge > Debug tab * **Export:** Download as JSON or CSV for external analysis Health logs help identify API communication issues, verification failures, and system errors. ### Why do I need pretty permalinks? Pretty permalinks are required for the verification callback URL to function correctly: * **Technical Reason:** The callback endpoint requires URL rewriting * **Impact:** Without pretty permalinks, verification callbacks fail * **Setup:** Go to Settings > Permalinks, select any option except “Plain” * **Verification:** An admin notice will alert you if permalinks are incompatible * **Server Requirement:** Requires mod_rewrite on Apache or rewrite rules on Nginx The plugin displays an admin notice if pretty permalinks are not enabled, helping you troubleshoot configuration issues. ### How do the statistics work? The Statistics dashboard (BorderAge > Statistics) displays verification metrics: * **Total Verifications:** Count of all completed verifications * **Adult/Minor Breakdown:** Number of visitors verified as adults vs minors * **Monthly Statistics:** Verification trends over time * **Data Source:** Retrieved from BorderAge API * **Caching:** Data cached for 10 minutes to reduce API calls * **Debug Mode:** Displays mock data for testing without API access Statistics help you track verification performance and understand your visitor demographics. ### What is the visitor account system? The visitor account system provides a convenient way for returning visitors to avoid repeated verification: * **Account Creation:** Optional after successful verification * **Login-based Access:** Logged-in visitors bypass verification * **Cookie Fallback:** Unregistered visitors remembered via cookies (24h) * **Credentials:** Email and hashed password stored securely * **Integration:** Works with WordPress user system This feature improves user experience for frequent visitors while maintaining security. ### Why does the plugin call wp_signon() from a custom endpoint instead of a custom login? The plugin provides one unified login entry point for two account types: WordPress users (admins/editors/members) and BorderAge visitor accounts. Using `wp_signon()` is technically necessary because WordPress users must be authenticated by WordPress itself, not by plugin-specific password logic. Why this uses WordPress core authentication instead of custom verification: * **Core password handling** – uses WordPress native hashing and authentication flow * **Session compatibility** – keeps standard WordPress auth cookies and login state * **Role and capability continuity** – existing WordPress roles are preserved without custom mapping * **Pluggable ecosystem support** – remains compatible with plugins relying on WordPress auth hooks * **Reduced security surface** – avoids duplicating sensitive credential logic in plugin code Security controls enforced on this endpoint: * **POST-only processing** – non-POST requests are rejected * **Nonce verification** – `borderage_visitor_login` must be valid before authentication * **Input hardening** – login and redirect input are normalized/sanitized * **Safe redirect handling** – redirect target is validated before use * **Login rate limiting** – failed attempts are throttled with anonymized references( no IP storage) * **No long-lived guest-flow sessions** – `remember => false` disables persistent“ remember me” cookies in this flow * **HTTPS-aware cookie behavior** – `is_ssl()` aligns auth cookie security with the current transport context If WordPress authentication fails, the plugin falls back to visitor-account authentication while keeping the same nonce, redirect validation, and rate-limiting safeguards. ## Reviews There are no reviews for this plugin. ## Contributors & Developers “Borderage Core” is open source software. The following people have contributed to this plugin. Contributors * [ brekam ](https://profiles.wordpress.org/brekam/) [Translate “Borderage Core” into your language.](https://translate.wordpress.org/projects/wp-plugins/borderage-core) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/borderage-core/), check out the [SVN repository](https://plugins.svn.wordpress.org/borderage-core/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/borderage-core/) by [RSS](https://plugins.trac.wordpress.org/log/borderage-core/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 0.1.0 * Initial release * Unified login form with WordPress-first authentication and visitor fallback * Login brute-force protection with anonymized rate-limit tracking (no IP stored) * Age verification via hand gesture * Full site or specific page protection * Visitor account system * Multi-language support (EN, FR, DE, ES) * Customizable verification page * Debug mode for testing * Credit alert system * Rate limiting protection * Health logging system * Statistics dashboard * Developer tools * 8 admin configuration tabs * Token-based callback security * Permalink requirement check ## Meta * Version **0.1.0** * Last updated **3 weeks ago** * Active installations **Fewer than 10** * WordPress version ** 6.2 or higher ** * Tested up to **6.9.4** * PHP version ** 8.1 or higher ** * Language * [English (US)](https://wordpress.org/plugins/borderage-core/) * Tags * [adult content](https://mai.wordpress.org/plugins/tags/adult-content/)[age gate](https://mai.wordpress.org/plugins/tags/age-gate/) [age verification](https://mai.wordpress.org/plugins/tags/age-verification/)[compliance](https://mai.wordpress.org/plugins/tags/compliance/) * [Advanced View](https://mai.wordpress.org/plugins/borderage-core/advanced/) ## Ratings No reviews have been submitted yet. [Your review](https://wordpress.org/support/plugin/borderage-core/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/borderage-core/reviews/) ## Contributors * [ brekam ](https://profiles.wordpress.org/brekam/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/borderage-core/)