MMCRA Toolkit

外掛說明

Selling a commercial WordPress plugin in the EU? Starting September 11, 2026 you need a Software Bill of Materials, a Vulnerability Disclosure Policy, and an EU Declaration of Conformity in your plugin’s technical file. MMCRA Toolkit generates all three from your plugin’s headers and dependency files, in an afternoon, with no servers or accounts.

Links

What this plugin generates

  • Software Bill of Materials — valid CycloneDX 1.6 JSON. Scans composer.lock, package-lock.json, and plugin headers. One click per plugin.
  • Vulnerability Disclosure Policy — drafted to ISO/IEC 29147 conventions. Publish as a WordPress page on your marketing site, or export as standalone HTML.
  • EU Declaration of Conformity — per-product template structured to CRA Annex V (manufacturer identity, conformity assessment route, applied standards). Export to HTML; print to PDF for the signed copy.
  • Audit log — every artifact written, with the SHA-256 of its content at write time. Tamper-evident evidence that you produced the file on a given date.

Who this is for

Independent WordPress plugin developers and small teams who sell commercial plugins to EU customers and need to ship the technical-file artifacts the CRA mandates. The free version covers every plugin you have installed, with no limit. Ongoing OSV.dev vulnerability monitoring, incident tracking, and PDF audit reports are in MMCRA Toolkit Pro.

5-step setup wizard

The wizard walks you through company identity, vulnerability disclosure policy, SBOM generation, and monitoring activation. It also explains the underlying CRA articles in plain English so you understand what each artifact is for, not just how to click the buttons.

What this is NOT

  • Not legal advice. Consult qualified counsel for CRA interpretation.
  • Not a guarantee of regulatory approval. Compliance is your responsibility.
  • Not a substitute for secure development practices.
  • Not a replacement for an EU authorised representative if your business needs one (CRA Article 17).

Pro features

MMCRA Toolkit Pro adds: weekly OSV.dev vulnerability monitoring with email alerts (tiered by how many plugins you monitor), incident tracking, AI-assisted advisory triage and remediation drafting (Claude), PDF audit reports, the Compliance Bundle export (single zip per plugin combining SBOM + VDP + DoC + audit log), Plugin Scanner static analysis, SBOM-from-zip uploads for third-party code, and audit log CSV export.

Translations

MMCRA Toolkit is translation-ready. The included .pot file in languages/ covers every translatable string. Priority locales for the EU market — German, French, Italian, Spanish, Dutch — are open for community translation via translate.wordpress.org.

Shortcodes

[mmcra_vdp]

Embed the Vulnerability Disclosure Policy and an optional report form on any WordPress page or post. Useful for putting the disclosure form at /security/ or wherever your security contact page lives.

Attributes:

  • show="all" (default) — render both the policy and the report form
  • show="policy" — policy only
  • show="form" — submission form only
  • pgp="yes" — include the PGP key block (default: off)
  • style="default" (default) | style="minimal" — minimal drops the styled wrapper for tighter theme integration

Examples:

[mmcra_vdp]

[mmcra_vdp show="form"]

[mmcra_vdp show="policy" pgp="yes"]

Submissions are saved to the mmcra_vdp_submissions option (capped at 100 entries, FIFO) and emailed to the contact address configured under CRA Toolkit Vulnerability Disclosure. Rate-limited to one submission per IP per minute. Includes a honeypot field for bot protection.

螢幕擷圖

安裝方式

  1. Upload via Plugins Add New Upload Plugin, or extract to wp-content/plugins/mmcra-toolkit/.
  2. Activate the plugin.
  3. Open CRA Toolkit Setup Wizard and follow the 5 steps.
  4. Generate SBOMs, publish your VDP, and sign your Declaration of Conformity as you ship releases.

常見問題集

What does the CRA require of WordPress plugin developers?

The EU Cyber Resilience Act (Regulation 2024/2847) applies to any commercial digital product placed on the EU market. For a plugin developer that means you need to identify your manufacturer entity, produce a Software Bill of Materials, publish a coordinated vulnerability disclosure policy, and ship a signed Declaration of Conformity per product. From September 11, 2026, you also have to report actively exploited vulnerabilities to ENISA within 24 hours.

Do I need this if I only sell to UK or US customers?

The CRA applies to any product placed on the EU market. If you sell to EU customers — directly or through a marketplace — you’re in scope. If you only sell to non-EU customers, the CRA does not apply, but the technical artifacts the toolkit produces are still useful as evidence of secure development practice.

How is the free version different from Pro?

The free version generates SBOMs, Disclosure Policies, and Declarations of Conformity for every plugin you have installed — no plugin limit. Pro adds ongoing weekly OSV.dev vulnerability monitoring (tiered by how many plugins you monitor), incident tracking, AI-assisted triage and drafting, PDF audit reports, and the single-zip Compliance Bundle export for regulator handoff.

Is the SBOM compatible with regulator tooling?

Yes. The toolkit outputs CycloneDX 1.6 JSON, which is one of the two SBOM formats explicitly named in the CRA’s harmonised standards. The same format works with OWASP Dependency-Track, GitHub Advanced Security, and most enterprise procurement portals.

Where does the audit log live?

In a custom table in your WordPress database (wp_mmcra_audit_log). Every artifact written by the toolkit is recorded with timestamp, user, plugin slug, path, and the SHA-256 of the content at write time. This gives you tamper-evident evidence that you produced the file on the date it claims.

Does this plugin send any data to external services?

No. The free plugin operates entirely on your WordPress install. No telemetry, no phone-home, no third-party API calls. Pro optionally talks to OSV.dev (Google’s open-source vulnerability database) for weekly monitoring and to Anthropic’s Claude API for AI-assisted triage, both opt-in.

Why a wizard instead of just a settings page?

Because the CRA is unfamiliar territory for most plugin developers. The wizard explains what each step is, why the CRA requires it, and what happens if you skip it. You can re-run it any time from CRA Toolkit Setup Wizard.

使用者評論

這個外掛目前沒有任何使用者評論。

參與者及開發者

以下人員參與了開源軟體〈MMCRA Toolkit〉的開發相關工作。

參與者

將〈MMCRA Toolkit〉外掛本地化為台灣繁體中文版

對開發相關資訊感興趣?

任何人均可瀏覽程式碼、查看 SVN 存放庫,或透過 RSS 訂閱開發記錄

變更記錄

1.0.0

Initial public release.

  • SBOM generator (CycloneDX 1.6) for installed plugins — scans composer.lock, package-lock.json, and plugin headers.
  • Vulnerability Disclosure Policy editor (ISO/IEC 29147 conventions) — publish as a WordPress page or export as HTML, with the [mmcra_vdp] shortcode and a rate-limited, honeypot-protected submission form.
  • Disclosure Submissions admin page — browse, triage, and bulk-action reports received via the shortcode.
  • EU Declaration of Conformity template per CRA Annex V — export to HTML, print to PDF for the signed copy.
  • Compliance Score — a 0-100 quantified posture with a transparent, click-to-fix deduction breakdown and CRA article references.
  • Audit log recording the SHA-256 of every artifact at write time.
  • 5-step setup wizard with plain-English CRA explanations.
  • Single “CRA Toolkit” top-level menu with an in-page sidebar nav.
  • Translation-ready (.pot template included).