Install MM CRA Toolkit

The toolkit installs from a zip upload. There is no free version on the WordPress.org repository yet.

Requirements

WordPress 6.2 or higher
PHP 7.4 or higher
libsodium extension (default in PHP 7.4+) for signed update verification
The PHP ZipArchive extension (default in most hosts) for SBOM-from-zip and bundle export

Upload the plugin

Sign in at /account/ and download mm-cra-toolkit.zip.
In WordPress admin: Plugins → Add New → Upload Plugin.
Pick the zip, click Install Now, then Activate.

A new sidebar entry CRA Toolkit appears. The first thing it shows you is the Setup Wizard.

Activate your license

After install, go to CRA Toolkit → License. Paste the key from your welcome email and click Activate. The toolkit handshakes with mmplugs.com and locks the seat to this site's domain. See Activate your license for details.

Verify it's working

Open CRA Toolkit → Dashboard. You should see:

A compliance grid listing every installed plugin on this site
Five columns (SBOM, VDP, DoC, Scan, Bundle) showing the status of each artifact
A "Run Setup Wizard" button if you haven't completed it yet

If you see a permissions error, check that the user you're logged in as has the manage_options capability. The mmcra_capability filter is available for multisite or agency setups that need a custom role.

What gets installed

The plugin creates:

A custom database table wp_mmcra_audit_log for the immutable audit log
A wp-content/uploads/mmcra/ directory with subdirs for sboms, scans, vdp, doc, bundles — each hardened with a .htaccess deny rule
A weekly cron event mmcra_monitor_run (only scheduled when you enable monitoring)
A daily cron event mmcra_daily_update_check for the auto-updater

Nothing else. The plugin is self-contained — no external services beyond mmplugs.com (license + updates) and OSV.dev (vulnerability check, only when you trigger it).