MM CRA Toolkit documentation
MM CRA Toolkit documentation Everything you need to use MM CRA Toolkit on your WordPress site. Each topic below is one focused article — install, configure, generate, monitor, and export your CRA technical file. Getting started Install MM CRA Toolkit Activate your license Run the Setup Wizard Core features Generate a CycloneDX SBOM Run the […]
Install MM CRA Toolkit
Install MM CRA Toolkit The toolkit installs from a zip upload. There is no free version on the WordPress.org repository yet. Requirements WordPress 6.2 or higher PHP 7.4 or higher libsodium extension (default in PHP 7.4+) for signed update verification The PHP ZipArchive extension (default in most hosts) for SBOM-from-zip and bundle export Upload the […]
Run the Setup Wizard
Run the Setup Wizard The Setup Wizard walks you through the configuration the toolkit needs before it can generate complete CRA artifacts. Five steps, usually under ten minutes. You can skip the wizard and configure individual pages directly, but the wizard is the path of least resistance for first-time users. Step 1 — Manufacturer identity […]
Generate a CycloneDX SBOM
Generate a CycloneDX SBOM The SBOM (Software Bill of Materials) is a machine-readable inventory of every dependency that ships with your plugin. The EU Cyber Resilience Act Annex II makes it mandatory. MM CRA Toolkit produces CycloneDX 1.6 JSON — the format ENISA references most often. Two flows The SBOM page has two ways to […]
Run the Plugin Scanner
Run the Plugin Scanner The Plugin Scanner performs static analysis over the PHP files of any WordPress plugin and produces a structured report describing the plugin's attack surface. The output is suitable as supporting evidence in your CRA technical file under Article 31. What the scanner detects For each scanned plugin, the report enumerates: Entry […]
Publish a Vulnerability Disclosure Policy
Publish a Vulnerability Disclosure Policy The CRA's Article 13 requires a Vulnerability Disclosure Policy (VDP) — a published, machine-discoverable channel for researchers to report security issues. MM CRA Toolkit drafts a complete VDP following ISO/IEC 29147 conventions and publishes it as a WordPress page or exports it as standalone HTML. Configure the policy Go to […]
Build an EU Declaration of Conformity
Build an EU Declaration of Conformity The CRA's Annex V requires a signed Declaration of Conformity (DoC) per product. MM CRA Toolkit produces a per-plugin DoC populated from your Settings and the per-product fields you fill in. Open the DoC editor Go to CRA Toolkit → Declarations of Conformity, pick a plugin from the dropdown, […]
Check dependencies against OSV.dev
Check dependencies against OSV.dev The Vulnerability Check page runs every Composer and npm dependency in your saved SBOMs against the OSV.dev advisory database. OSV is Google's open-source vulnerability feed, aggregating GitHub Security Advisories, RustSec, PyPA, Packagist, npm advisories, and more. This satisfies CRA Article 14's "monitor for new vulnerabilities" obligation at the point-in-time level. For […]
Enable weekly vulnerability monitoring
Enable weekly vulnerability monitoring CRA Article 14 requires manufacturers to monitor their products for new vulnerabilities post-release, not just at release time. The toolkit's Monitor automates this with a weekly OSV.dev check across every plugin you have a saved SBOM for. Enable Go to CRA Toolkit → Settings → Monitor. Toggle Enable weekly monitoring. Enter […]
Export a Compliance Bundle
Export a Compliance Bundle The Compliance Bundle is the single ZIP you hand to a regulator under CRA Article 31 or to an EU customer asking for your "technical file." Everything the toolkit has generated for the plugin in one archive, with a README manifest naming every file. Build a bundle Two ways: Per plugin […]