The EU Cyber Resilience Act asks anyone who puts a product with digital elements on the market to know what their software is made of, to track its vulnerabilities, and to be able to prove it. For a WordPress site that means a real bill of materials, ongoing vulnerability monitoring, and the paperwork to back it up.
Non-compliance is expensive. The Cyber Resilience Act allows administrative fines of up to €15 million, or 2.5% of your company’s total worldwide annual turnover, whichever is higher, and lets authorities pull non-compliant products from the EU market.
CRA Vulnerability Monitor brings all of that into wp-admin. The free core builds a complete component inventory, exports a standards-based CycloneDX SBOM, and generates the CSAF/VEX advisory and EU Declaration of Conformity the Cyber Resilience Act asks for, entirely on your own server. Add a license and the plugin continuously matches your components against the National Vulnerability Database (NVD), OSV.dev and Wordfence Intelligence, scores them with CVSS, EPSS and CISA KEV signals, alerts you the moment something you run becomes vulnerable, and fills those documents with the actual findings.
The premium vulnerability data is matched on our servers, so no third-party API keys or scanning credentials are ever shipped inside the GPL plugin. Your inventory goes out; enriched findings come back. Nothing about your content, users or visitors is involved.
It is the fastest way to bring EU Cyber Resilience Act readiness to a WordPress site. Explore our other WordPress plugins, or if you would rather have it handled for you, see our WordPress security services.