Get every WordPress plugin you ship CRA-ready

Both. When you build, customise, install, or operate a WordPress product for a client on the EU market, you sit somewhere on the CRA "manufacturer / importer / distributor" spectrum depending on the engagement. At a minimum you need a per-plugin self-assessment, evidence of secure-by-default config, and a documented vulnerability disclosure route. WP HealthKit's fleet dashboard tracks the verdict per plugin × per client; the per-plugin Declaration of Conformity export is the artifact the regulator will want to see.

Article 28 of the CRA requires manufacturers to issue an EU Declaration of Conformity for each product confirming compliance with Annex I essential cybersecurity requirements. WP HealthKit generates this per plugin: open any audit in the agency fleet view, click "CRA →" on the plugin's compliance row, and the system produces a print-ready document mapping Annex I §1(2) requirements to your audit findings, with the agency branding, signature block, and verification URL included.

Yes — if the plugin is maintained by a commercial entity, distributed as part of a commercial service, or used in a commercial context, the CRA applies regardless of whether end users pay for the plugin directly. Free plugins distributed by a company that earns revenue from related services are in scope.

An SBOM (Software Bill of Materials) is a structured inventory of every software component your plugin includes — Composer packages, npm dependencies, bundled libraries, and third-party scripts. The CRA requires it so that when a vulnerability is discovered in a component, you can immediately identify which of your products are affected. Without an SBOM, you cannot efficiently comply with the 24-hour early warning obligation.

Yes. Every WP HealthKit audit generates a CycloneDX-format SBOM covering Composer packages, npm packages, and bundled third-party libraries detected in the plugin ZIP. The SBOM is downloadable from the audit report page and can be submitted to ENISA or provided to customers as part of your compliance documentation.

Under Article 14 of the CRA, manufacturers must notify ENISA within 24 hours of becoming aware of an actively exploited vulnerability in their product. A further detailed notification is due within 72 hours. This is separate from public disclosure — the 24-hour clock is for regulatory reporting.

At minimum, a published security.txt or SECURITY.md file with a contact method where security researchers can report vulnerabilities to you privately. You must also have a process for responding to those reports and issuing fixes. WP HealthKit checks for the presence and completeness of these files in every audit.

Fines of up to 15 million euros or 2.5% of global annual turnover, whichever is higher. Market access can also be restricted — non-compliant products can be prohibited from the EU market entirely.