Deskripsi
Selling a commercial WordPress plugin in the EU? Starting September 11, 2026 you need a Software Bill of Materials, a Vulnerability Disclosure Policy, and an EU Declaration of Conformity in your plugin’s technical file. MMCRA Toolkit generates all three from your plugin’s headers and dependency files, in an afternoon, with no servers or accounts.
Links
What this plugin generates
- Software Bill of Materials — valid CycloneDX 1.6 JSON. Scans
composer.lock,package-lock.json, and plugin headers. One click per plugin. - Vulnerability Disclosure Policy — drafted to ISO/IEC 29147 conventions. Publish as a WordPress page on your marketing site, or export as standalone HTML.
- EU Declaration of Conformity — per-product template structured to CRA Annex V (manufacturer identity, conformity assessment route, applied standards). Export to HTML; print to PDF for the signed copy.
- Audit log — every artifact written, with the SHA-256 of its content at write time. Tamper-evident evidence that you produced the file on a given date.
Who this is for
Independent WordPress plugin developers and small teams who sell commercial plugins to EU customers and need to ship the technical-file artifacts the CRA mandates. The free version covers every plugin you have installed, with no limit. Ongoing OSV.dev vulnerability monitoring, incident tracking, and PDF audit reports are in MMCRA Toolkit Pro.
5-step setup wizard
The wizard walks you through company identity, vulnerability disclosure policy, SBOM generation, and monitoring activation. It also explains the underlying CRA articles in plain English so you understand what each artifact is for, not just how to click the buttons.
What this is NOT
- Not legal advice. Consult qualified counsel for CRA interpretation.
- Not a guarantee of regulatory approval. Compliance is your responsibility.
- Not a substitute for secure development practices.
- Not a replacement for an EU authorised representative if your business needs one (CRA Article 17).
Pro features
MMCRA Toolkit Pro adds: weekly OSV.dev vulnerability monitoring with email alerts (tiered by how many plugins you monitor), incident tracking, AI-assisted advisory triage and remediation drafting (Claude), PDF audit reports, the Compliance Bundle export (single zip per plugin combining SBOM + VDP + DoC + audit log), Plugin Scanner static analysis, SBOM-from-zip uploads for third-party code, and audit log CSV export.
Translations
MMCRA Toolkit is translation-ready. The included .pot file in languages/ covers every translatable string. Priority locales for the EU market — German, French, Italian, Spanish, Dutch — are open for community translation via translate.wordpress.org.
Shortcodes
[mmcra_vdp]
Embed the Vulnerability Disclosure Policy and an optional report form on any WordPress page or post. Useful for putting the disclosure form at /security/ or wherever your security contact page lives.
Attributes:
show="all"(default) — render both the policy and the report formshow="policy"— policy onlyshow="form"— submission form onlypgp="yes"— include the PGP key block (default: off)style="default"(default) |style="minimal"— minimal drops the styled wrapper for tighter theme integration
Examples:
[mmcra_vdp]
[mmcra_vdp show="form"]
[mmcra_vdp show="policy" pgp="yes"]
Submissions are saved to the mmcra_vdp_submissions option (capped at 100 entries, FIFO) and emailed to the contact address configured under CRA Toolkit Vulnerability Disclosure. Rate-limited to one submission per IP per minute. Includes a honeypot field for bot protection.
Tangkapan Layar







Instalasi
- Upload via Plugins Add New Upload Plugin, or extract to
wp-content/plugins/mmcra-toolkit/. - Activate the plugin.
- Open CRA Toolkit Setup Wizard and follow the 5 steps.
- Generate SBOMs, publish your VDP, and sign your Declaration of Conformity as you ship releases.
Tanya Jawab
-
What does the CRA require of WordPress plugin developers?
-
The EU Cyber Resilience Act (Regulation 2024/2847) applies to any commercial digital product placed on the EU market. For a plugin developer that means you need to identify your manufacturer entity, produce a Software Bill of Materials, publish a coordinated vulnerability disclosure policy, and ship a signed Declaration of Conformity per product. From September 11, 2026, you also have to report actively exploited vulnerabilities to ENISA within 24 hours.
-
Do I need this if I only sell to UK or US customers?
-
The CRA applies to any product placed on the EU market. If you sell to EU customers — directly or through a marketplace — you’re in scope. If you only sell to non-EU customers, the CRA does not apply, but the technical artifacts the toolkit produces are still useful as evidence of secure development practice.
-
How is the free version different from Pro?
-
The free version generates SBOMs, Disclosure Policies, and Declarations of Conformity for every plugin you have installed — no plugin limit. Pro adds ongoing weekly OSV.dev vulnerability monitoring (tiered by how many plugins you monitor), incident tracking, AI-assisted triage and drafting, PDF audit reports, and the single-zip Compliance Bundle export for regulator handoff.
-
Is the SBOM compatible with regulator tooling?
-
Yes. The toolkit outputs CycloneDX 1.6 JSON, which is one of the two SBOM formats explicitly named in the CRA’s harmonised standards. The same format works with OWASP Dependency-Track, GitHub Advanced Security, and most enterprise procurement portals.
-
Where does the audit log live?
-
In a custom table in your WordPress database (
wp_mmcra_audit_log). Every artifact written by the toolkit is recorded with timestamp, user, plugin slug, path, and the SHA-256 of the content at write time. This gives you tamper-evident evidence that you produced the file on the date it claims. -
Does this plugin send any data to external services?
-
No. The free plugin operates entirely on your WordPress install. No telemetry, no phone-home, no third-party API calls. Pro optionally talks to OSV.dev (Google’s open-source vulnerability database) for weekly monitoring and to Anthropic’s Claude API for AI-assisted triage, both opt-in.
-
Why a wizard instead of just a settings page?
-
Because the CRA is unfamiliar territory for most plugin developers. The wizard explains what each step is, why the CRA requires it, and what happens if you skip it. You can re-run it any time from CRA Toolkit Setup Wizard.
Ulasan
Belum ada ulasan untuk plugin ini.
Kontributor & Pengembang
“MMCRA Toolkit” adalah perangkat lunak open source. Berikut ini mereka yang sudah berkontribusi pada plugin ini.
KontributorTerjemahkan “MMCRA Toolkit” dalam bahasa Anda.
Tertarik mengembangkan?
Lihat kode, periksa repositori SVN , atau mendaftar ke log pengembangan melalui RSS.
Log Perubahan
1.0.0
Initial public release.
- SBOM generator (CycloneDX 1.6) for installed plugins — scans
composer.lock,package-lock.json, and plugin headers. - Vulnerability Disclosure Policy editor (ISO/IEC 29147 conventions) — publish as a WordPress page or export as HTML, with the
[mmcra_vdp]shortcode and a rate-limited, honeypot-protected submission form. - Disclosure Submissions admin page — browse, triage, and bulk-action reports received via the shortcode.
- EU Declaration of Conformity template per CRA Annex V — export to HTML, print to PDF for the signed copy.
- Compliance Score — a 0-100 quantified posture with a transparent, click-to-fix deduction breakdown and CRA article references.
- Audit log recording the SHA-256 of every artifact at write time.
- 5-step setup wizard with plain-English CRA explanations.
- Single “CRA Toolkit” top-level menu with an in-page sidebar nav.
- Translation-ready (.pot template included).
