The compliance layer your WordPress agency is missing
CRA, GDPR, WCAG, EAA — across every client site, every plugin, every update. One fleet dashboard, a morning digest the moment anything moves, and per-plugin conformity statements ready for the regulator.
No card required · 14-day trial · Legacy customers stay on £149/mo for 12 months
Compliance debt scales with your fleet
Every client site you run is a regulated product. The Cyber Resilience Act takes effect 11 September 2026 and requires a documented self-assessment per product, security updates, and vulnerability disclosure. GDPR, WCAG, and the European Accessibility Act stack on top.
Tracking that posture across 50 client sites and 200 plugins in spreadsheets isn't a thing your team can do, and Wordfence won't do it for you. WP HealthKit is the compliance layer: continuous audits, fleet-wide grid, per-plugin conformity statements, finding-level workflow.
How agencies use WP HealthKit
One platform per agency. Every client's plugin and theme posture in one place.
Fleet dashboard
One screen for every client × every plugin/theme. Compliance chips, score delta, last-audit timestamp. Filter by framework status or "changed since last visit".
CRA / GDPR / WCAG / EAA grid
Per-plugin verdicts derived from the audit findings. Click any row to export the EU Declaration of Conformity for the September 2026 deadline.
Morning digest
One email per agency per day. Score drops, new CVEs that match your fleet, compliance shifts, new upstream versions. Empty mornings mean nothing moved.
Finding assignment workflow
Assign findings to team members, track status (Open / In Progress / Fixed / Accepted), and discuss in threaded comments. Filter the portfolio view by status or assignee.
Continuous monitoring
Re-audit a plugin the day it ships a new version. CVE-watch matches new vulnerability disclosures against every slug in your fleet within hours.
Conformity statements
Per-plugin CRA Declaration of Conformity as printable HTML. Agency-branded, signature block included, ready to hand a client or a regulator.
Unlimited audits in portfolio
Once a plugin is in a client's portfolio, audit it as often as you like — manually, on update, or via the API. Re-audits within 14 days are free.
5 team seats
Every developer, QA engineer, and PM can run audits, assign findings, and reply to comments. Seat-level activity is visible to the owner.
REST API + webhooks + CI/CD
Wire findings into Linear, Notion, or your own dashboard. GitHub Actions for audit-on-push. MCP server for Claude / Cursor / other AI tools.
Everything in the Agency plan
Agency (£149/mo) is the full compliance platform — unlimited audits in your portfolio, fleet dashboard, morning digest, CRA / GDPR / WCAG / EAA reports, finding workflow, white-label PDFs, and REST API.
One platform, everything included
Agency
£149/month
or £124/mo billed annually · save £300/yr
Unlimited audits in portfolio, fleet dashboard, morning digest, CRA / GDPR / WCAG / EAA reports, finding workflow.
Start free trial14-day free trial · No credit card required · Cancel any time
Existing legacy Agency subscribers stay on £149/mo for 12 months from May 2026.
Agency questions answered
What does the CRA actually require of WordPress agencies?
The EU Cyber Resilience Act takes effect 11 September 2026. Any "product with digital elements" placed on the EU market — including WordPress sites you build and operate — must self-assess against Annex I cybersecurity requirements, ship without known exploitable vulnerabilities, provide security updates, and disclose vulnerabilities through a documented process. WP HealthKit derives the CRA verdict per plugin from the deterministic + AI audit findings, and exports an EU Declaration of Conformity per plugin on demand.
How does the fleet dashboard differ from the per-audit results page?
The fleet dashboard is the agency view: every client × every plugin/theme they use, with CRA / GDPR / WCAG / EAA chips, latest score, score delta, and "changed since last visit" highlights. The per-audit results page is the technical deep dive for one plugin. Both come included in the Agency tier — fleet is the daily working surface; per-audit is what you forward to a developer.
Do audits in the registered portfolio really count as unlimited?
Yes. Once you've added a plugin or theme to a client's portfolio, you can re-audit it as often as you want — manually, on plugin update, or via the API — at no extra charge. Re-audits within 14 days of the previous audit are even more efficient on the platform's side thanks to our diff-aware cache. You can also configure a self-imposed monthly cap from Settings → Billing to defend against a runaway team member.
How does the morning digest work?
Once a day, you receive one email per agency summarising every state change across your fleet — new audits, score drops, compliance verdict shifts, new CVEs, and new upstream versions. The digest groups by client and links every row back to the relevant fleet dashboard view or audit. Empty mornings mean no email — we don't send when nothing moved.
Can we assign findings to team members and track status?
Yes. Each finding can be assigned to any active team seat, has a status workflow (Open → In Progress → Fixed → Accepted), and supports a threaded comment discussion. Team members logged into your agency see only their portfolio. Findings assigned to a teammate can be filtered by status, severity, plugin, or client.
How does the legacy £149 grandfather work?
Existing Agency subscribers stay on £149/month for 12 months from 14 May 2026. Inside Settings → Billing, legacy subscribers see "£149/mo (legacy)" instead of the public price — your renewal stays at £149 until the grandfather window closes, then it converts to the current public Agency rate.
What's included with Agency?
Agency (£149/mo) is the compliance platform: unlimited audits inside a registered portfolio, fleet dashboard, morning digest, CRA / GDPR / WCAG / EAA reports, finding assignment, 5 team seats, white-label PDFs, and REST API + webhooks.
Can we integrate findings into our own reporting?
Yes — the REST API returns structured JSON findings with severity, location, category, and remediation. Agencies typically poll the fleet endpoint nightly or subscribe to the webhook topics (audit.completed, finding.assigned, alert.unacked) for real-time integration into Linear, Notion, or an internal Retool dashboard.
Get ahead of the September 2026 CRA deadline
Stand up your fleet today. Audit every plugin your clients run. Hand them a conformity statement before the regulator asks.