WordPress Plugin Free core, premium license v1.0.0
CRA Vulnerability Monitor

EU Cyber Resilience Act compliance for WordPress

EU Cyber Resilience Act compliance for WordPress: build a CycloneDX SBOM, monitor vulnerabilities and export the documents auditors ask for, from wp-admin.

WordPress 6.0+ PHP 7.4+

What the Cyber Resilience Act means for WordPress

The EU Cyber Resilience Act asks anyone who puts a product with digital elements on the market to know what their software is made of, to track its vulnerabilities, and to be able to prove it. For a WordPress site that means a real bill of materials, ongoing vulnerability monitoring, and the paperwork to back it up.

Non-compliance is expensive. The Cyber Resilience Act allows administrative fines of up to €15 million, or 2.5% of your company’s total worldwide annual turnover, whichever is higher, and lets authorities pull non-compliant products from the EU market.

CRA Vulnerability Monitor brings all of that into wp-admin. The free core builds a complete component inventory, exports a standards-based CycloneDX SBOM, and generates the CSAF/VEX advisory and EU Declaration of Conformity the Cyber Resilience Act asks for, entirely on your own server. Add a license and the plugin continuously matches your components against the National Vulnerability Database (NVD), OSV.dev and Wordfence Intelligence, scores them with CVSS, EPSS and CISA KEV signals, alerts you the moment something you run becomes vulnerable, and fills those documents with the actual findings.

The premium vulnerability data is matched on our servers, so no third-party API keys or scanning credentials are ever shipped inside the GPL plugin. Your inventory goes out; enriched findings come back. Nothing about your content, users or visitors is involved.

It is the fastest way to bring EU Cyber Resilience Act readiness to a WordPress site. Explore our other WordPress plugins, or if you would rather have it handled for you, see our WordPress security services.

The core is free, and stays free

Component inventory, CycloneDX SBOM, WP-CLI and the CSAF/VEX and Declaration of Conformity documents run on your own server, GPL-licensed, no account needed. A license adds live vulnerability data and alerting on top.

A license is what turns the documents into protection

The free core builds the paperwork once. A license keeps you safe between audits: daily automated scans of every plugin, theme and the core against the National Vulnerability Database (NVD), OSV.dev and Wordfence Intelligence, scored with CVSS, EPSS and CISA KEV signals, plus email, Slack and webhook alerts the moment something you run becomes vulnerable.

See license pricing

What a license unlocks

Everything in the free core, plus continuous, enriched vulnerability intelligence and alerting.

CapabilityFreePremium
Component inventory (plugins, themes, core, must-use, drop-ins)
CycloneDX 1.6 SBOM export, with transitive dependencies
WP-CLI commands for inventory and SBOM
Plugin and theme health and file integrity checks
Compliance documents: CSAF / VEX, Declaration of Conformity, SECURITY.md
Compliance report export (per-component status, time-to-patch)
Continuous vulnerability scanning (CVE matching)
Risk dashboard with severity, EPSS and CISA KEV signals
Automated alerts: email, Slack, webhook and scheduled digests
Daily scheduled scans and configurable thresholds
Audit log of compliance activity

Choose your license

Both plans include the complete premium feature set. Pick by how many sites you run.

Best value

Agency

Up to 100 sites
$9,900 $899 / year Save 91%

vs 100 single-site licenses

  • Everything in the single-site plan
  • Activate on up to 100 sites from one key
  • Roughly $9 per site, per year
  • Priority email support
  • Renews yearly, cancel anytime
Get the agency license
Secure checkout via Stripe Licensed by domain Renews yearly, cancel anytime

Key features

Full Component Inventory

Every plugin, theme, the WordPress core, must-use plugins and drop-ins, captured with name, slug, version and supplier, the foundation of any CRA conformity file.

Standards-Based SBOM

Generate a CycloneDX 1.6 Software Bill of Materials with PURL identifiers and transitive dependencies, ready to hand to an auditor or attach to a Declaration of Conformity.

Vulnerability Monitoring

Your inventory is matched on our servers against the National Vulnerability Database (NVD), OSV.dev and Wordfence Intelligence, then enriched with CVSS severity, EPSS exploit probability and CISA KEV status. No third-party API keys ship in the plugin.

Automated Alerts

Get notified the moment a component you run becomes vulnerable, by email, Slack, webhook, or a scheduled digest, with thresholds you control.

Auditor-Ready Documents

Export CSAF / VEX advisories and a Declaration of Conformity directly from the dashboard, the paperwork the Cyber Resilience Act actually asks for.

Compliance Audit Log

Every scan, export and decision is recorded in a filterable, dated audit trail, so you can show what you knew and when.

Privacy by Design

Only technical data ever leaves the site: your component inventory and plugin/theme slugs, used to fetch vulnerability data, generate the compliance documents, and verify files against WordPress.org. No post content, user data or visitor data is collected or transmitted, and no third-party API keys ship in the plugin.

Multisite and CLI Ready

Works across a multisite network with a roll-up view of every site, and the core tasks, from inventory to SBOM to scans and the policy gate, are scriptable via WP-CLI for your CI pipelines.

Up and running in three steps

Install the free core

Install CRA Vulnerability Monitor from the WordPress plugin directory, or upload the ZIP under Plugins, Add New, Upload Plugin. Activate it like any other plugin.

Build your inventory and SBOM

Open the CRA menu in wp-admin. Your component inventory is ready immediately and you can export a CycloneDX SBOM straight away, no account required.

Add a license to unlock monitoring

Paste your license key on the License screen to switch on continuous vulnerability scanning, the risk dashboard and automated alerts for that site.

Frequently asked questions

Does this plugin make my WordPress site compliant with the EU Cyber Resilience Act?
It gives you the core technical building blocks the Cyber Resilience Act expects from a WordPress site: a complete component inventory, a CycloneDX software bill of materials, continuous vulnerability monitoring, and ready-to-export CSAF/VEX and Declaration of Conformity documents. Full CRA compliance also involves processes and obligations beyond any single plugin, but this covers the WordPress evidence and paperwork.
What does the EU Cyber Resilience Act require for WordPress?
The EU Cyber Resilience Act (Regulation (EU) 2024/2847) expects makers of products with digital elements to know what their software is made of, to track and handle vulnerabilities, and to document conformity. For a WordPress site that means keeping an up-to-date SBOM, monitoring your plugins, themes and core for known vulnerabilities, and holding auditor-ready records, which is exactly what this plugin produces.
Is the plugin free?
Yes. The core is free and licensed under GPL-3.0-or-later on WordPress.org: the component inventory, the CycloneDX SBOM export, the CSAF/VEX, SECURITY.md, EU Declaration of Conformity and compliance-report exports, plugin and theme health and integrity checks, the on-screen compliance dashboard, the audit log and the WP-CLI commands. Continuous vulnerability scanning, the risk dashboard and automated alerts require a premium license; that license is what fills the free documents with actual vulnerability findings.
How does the license work?
One license activates one site, identified by its domain. The premium features stay active while the license is valid. You can move a license between sites from the License screen or your members area.
Do I need a license to generate an SBOM?
No. The component inventory, the CycloneDX SBOM and every document export (CSAF/VEX, SECURITY.md, Declaration of Conformity and the compliance report) run locally on your server and are completely free, no account required. A license adds the live vulnerability data and alerts; until a scan runs, the documents simply list no vulnerabilities.
Where does the vulnerability data come from?
Your inventory is sent to the Mecanik API, which matches it against the U.S. National Vulnerability Database (NVD), OSV.dev and Wordfence Intelligence, and returns the findings enriched with CVSS, EPSS and CISA KEV signals. No post content, user data or visitor data is ever sent, and no upstream API keys are bundled in the plugin.
Do you have an agency or multisite option?
Yes. The single-site plan covers one site; the Agency plan activates up to 100 sites on one key. If you need more than 100 or have a special multisite setup, contact us at [email protected] and we will set you up.
What are the requirements?
WordPress 6.0 or newer and PHP 7.4 or newer. The premium features need outbound HTTPS to api.mecanik.dev so your site can reach the scanning service.

Related reading

Go deeper with our guides and related security services.