MMCRA Toolkit vs the alternatives
The three categories
SaaS compliance platforms generate the documents and run dependency scans but route everything through their own API and a paid subscription. Your compliance posture lives on their servers. Cancel the subscription and you lose the live monitoring; export your evidence on the way out or you lose it entirely.
Site security scanners are built for site owners, not plugin developers. They scan the WordPress core, themes, and plugins installed on the host — which is the wrong scope. The CRA holds the plugin manufacturer responsible for the plugin product, not the site that happens to be running it. A site scan tells you which plugins on your test install are vulnerable. It doesn't tell you whether the plugin you ship to 500 customers has a vulnerable dependency baked in.
MMCRA Toolkit reads the lockfiles of your shipped plugin — composer.lock and package-lock.json — and produces the artifacts CRA actually asks the manufacturer to produce: an SBOM per product, a VDP, a per-product Declaration of Conformity, a single Compliance Bundle for regulator handoff, and a tamper-evident audit log. Runs entirely inside your WordPress. No external account.
Detailed feature comparison
| Capability | SaaS compliance tools | Site security scanners | MMCRA Toolkit |
|---|---|---|---|
| Runs inside your WordPress (no external account) | — | ✓ | ✓ |
| Scans your shipped plugin's dependencies | Yes (via API) | No · scans the host site | Yes (from lockfiles) |
| CycloneDX 1.6 SBOM (ENISA-referenced format) | CycloneDX 1.5 | Limited or none | CycloneDX 1.6 |
| SBOM from any uploaded plugin zip | Limited | — | ✓ |
| Per-product Declaration of Conformity (Annex V) | Single generic template | Not included | Per plugin, Annex V structure |
| Vulnerability Disclosure Policy (ISO/IEC 29147) | ✓ | — | ✓ · publish as page or export HTML |
| Vulnerability monitoring | WPScan API (paid) | WPScan API on site plugins | OSV.dev (free) on your dependencies |
| Static analysis of your plugin's source | — | — | Pro: routes, capabilities, nonce, anti-patterns |
| One-click Compliance Bundle ZIP for regulator | PDF report only | — | SBOM + VDP + DoC + scan + audit log |
| Tamper-evident audit log with SHA-256 | — | — | ✓ · per-artifact hash, CSV export |
| License fingerprint watermarking | — | — | ✓ · embedded in every artifact |
| Where your evidence lives | Vendor's servers | Your WP database | wp-content/uploads/mmcra/ |
| What happens if you stop paying | Monitoring stops · evidence inaccessible | Free tier covers basics | Plugin keeps working. License gates only updates and Pro features. |
| Pricing structure | Per-plugin tiers (5, 20, etc.) | Per-site subscription | Solo $149 · Studio $399 · Unlimited $999 |
| Source code transparency | Closed | Some open source | GPL-2.0, on GitHub |
Sign once. File with confidence.
Skip the Annex V boilerplate. Fill your details once and export a clean declaration for every product you ship.
Declaration of Conformity questions
Do I need one declaration per plugin or per company?
Per plugin. The CRA declares conformity at the product level, so each plugin you place on the EU market needs its own signed Declaration of Conformity identifying that product and version.
How do I produce a signed PDF?
Export the declaration to HTML and print to PDF from your browser, then sign it. Keeping export as HTML keeps the plugin lean and the audit-log hash stable.
I’m not in the EU. Does this cover the representative requirement?
The template includes the EU authorised representative section so you can record one under Article 17. MMCRA produces the document; appointing a representative where required is still your responsibility.
Is this legal advice?
No. The toolkit produces the Annex V artifact. Final responsibility for conformity and for choosing the right assessment route rests with you, and EU-based authors should consult qualified counsel.