If you sell a WordPress plugin or theme to anyone in the EU, the EU Cyber Resilience Act (Regulation 2024/2847) applies to you. It does not matter where you are based or whether your product is free. Agencies distributing custom plugins or themes to EU clients are also in scope.

From September 11, 2026, you need a documented vulnerability reporting process, the required security documents, and a way to monitor your products for known vulnerabilities. ResilienceWP is built for WordPress developers — plugin developers, theme developers, and agencies — to cover all of that in one place.

Non-compliance carries fines up to EUR 15 million or 2.5% of global annual turnover. Authorities can also force non-compliant products off the EU market.

The free plan covers the paperwork side of compliance: checklist, five document templates, and the CRA education guide. Paid plans add automated vulnerability scanning, email alerts, the Incident Center for ENISA notification management, and downloadable compliance reports, all directly inside your WordPress admin. Pro plans also include webhook integrations for CI/CD pipelines and external tools — get real-time notifications when scans complete or vulnerabilities are found.

For pricing, documentation, and more details visit resiliencewp.com.

Compliance Checklist (Free)

26 actionable items, each mapped to a specific CRA article. Five categories cover everything the regulation requires:

• Risk Assessment: documenting threats, attack surfaces, and mitigations
• Secure Development: secure defaults, no known exploitable vulnerabilities at release
• Vulnerability Handling: disclosure policy, coordinated reporting, user notification
• Required Documentation: SBOM, Declaration of Conformity, technical file
• Post-Market Obligations: ongoing monitoring, security updates, end-of-life policy

Every item has a plain-English explanation of what it means and why it matters. Check items off as you complete them. Progress saves automatically.

Document Generator (Free)

Generate the five documents the CRA requires before you can legally place a product on the EU market:

• Vulnerability Disclosure Policy (Article 13(6)): your public process for receiving and handling security reports from researchers
• Incident Response Plan: your internal procedure when a vulnerability is discovered or actively exploited
• EU Declaration of Conformity: the formal self-declaration that your product meets CRA essential requirements
• Software Bill of Materials (SBOM) (Article 13): a structured inventory of your plugin’s components, dependencies, and third-party libraries
• security.txt: the machine-readable contact file security researchers use to reach you, placed at /.well-known/security.txt

Fill in your plugin name, contact details, and a few specifics. Download in text or markdown format. No starting from scratch, no lawyer needed for the first draft.

CRA Education Centre (Free)

An article-by-article breakdown of Regulation (EU) 2024/2847, written for developers rather than legal teams. Understand what each obligation actually requires: what counts as “active exploitation,” what an SBOM needs to contain, what the 24-hour reporting window really means.

Vulnerability Scanner (Basic and Pro)

Connect your account to ResilienceWP and it monitors your plugins against the WPScan vulnerability database on a regular schedule. Weekly on Basic, daily on Pro.

You can monitor any plugin by its WordPress.org slug, not just the plugins currently installed on your site. If your plugin depends on WooCommerce, ACF, or any other third-party plugin, you can add those slugs directly and track vulnerabilities in your dependencies. Plugins can also be added directly from your installed plugins list.

The moment a new vulnerability is found, you get an email with the severity rating, CVE ID, affected version range, and fix version if one is available. Back in your WordPress admin, vulnerabilities are grouped by plugin and sorted by date discovered, so you can see at a glance which plugins have open issues and how old they are.

Each vulnerability card shows:

• Severity (Critical / High / Medium / Low / Info) with colour coding
• CVE identifier linked directly to the NVD entry
• The fix version (or “no fix available yet”)
• An action hint: whether to update, acknowledge, or open an incident
• A button to report the incident directly to the Incident Center

Status tracking lets you mark vulnerabilities as Open, Acknowledged, In Progress, Resolved, or False Positive. Export the full vulnerability list as CSV for your compliance records.

Incident Center (Basic and Pro)

When a vulnerability in your plugin is being actively exploited, the CRA requires you to notify ENISA within 24 hours. The Incident Center tracks that deadline from the moment you log first awareness and guides you through the complete regulatory workflow.

Creating a new incident logs the discovery timestamp and starts all three countdown timers simultaneously:

1. Early Warning: due within 24 hours of first awareness
2. Vulnerability Notification: due within 72 hours, with full technical details
3. Final Report: due within 14 days, including root cause and remediation steps

The case view shows:

• Live countdown timers for each notification deadline, turning amber at 6 hours and red when overdue
• A completeness score on your incident report so you know exactly what information is still missing
• A “Where to Submit” section with direct links to ENISA’s reporting portal, the EU CSIRT network directory, and the CVE Programme at MITRE
• A full audit log recording every action taken, every field updated, and every notification submitted

On Pro, you can export the full incident case including all notifications and the complete audit log, formatted for submission to regulators or for your compliance archive.

Dashboard and Compliance Score

The dashboard gives you a live compliance score (0-100) with a transparent breakdown:

• -15 points per open critical vulnerability
• -7 points per open high vulnerability
• -3 points per open medium vulnerability
• -20 points per overdue incident (past the 24-hour ENISA deadline)
• -5 points per active open incident

It is not a vanity metric. It is a working indicator of where you stand against your CRA obligations at any point in time, with the exact deductions shown so you know what to fix first.

Compliance Reports and SBOM Export (Basic and Pro)

Generate a PDF compliance report for auditors or regulators covering your vulnerability history, resolution timeline, and document status. Export your Software Bill of Materials in standard format, as required by CRA Article 13.

Webhook Integrations (Pro)

Connect ResilienceWP to your CI/CD pipeline, Slack, or any external tool with webhook callbacks. Configure webhook endpoints in Settings and receive real-time HTTP POST notifications with HMAC-SHA256 signed payloads when:

• A scheduled or manual scan completes
• A new vulnerability is found in one of your monitored plugins

Each webhook delivery is logged with status codes and response data, so you can debug integration issues directly from your WordPress admin. Manage up to 5 webhook endpoints per account, toggle them on and off, and filter by event type.

Who needs to comply

• Commercial plugin developers: selling to EU customers through any channel (your site, Envato, direct) makes you the manufacturer under the CRA
• WordPress agencies: distributing custom-built plugins to EU clients, even for a single client, counts as placing a product on the market
• Freemium developers: having a free version does not exempt you; any commercial activity tied to the product brings you in scope
• Theme developers: themes with shortcodes, API integrations, or custom post types may qualify as “products with digital elements”

Key dates

• 10 December 2024: CRA entered into force. Transition period began.
• 11 September 2026: Vulnerability and incident reporting obligations apply.
• 11 December 2027: Full CRA application. All requirements in effect.

Source Code

The admin dashboard is built with React and compiled using Vite. The uncompiled source is included in the plugin ZIP under admin/src/. To rebuild from source:

1. Install Node.js 20+ and pnpm 10+
2. Run pnpm install in the plugin directory
3. Run pnpm build to recompile the admin dashboard

External Services

ResilienceWP API (https://api.resiliencewp.com)
Used for API key verification, vulnerability scanning, incident management, and report generation. Data sent: API key, WordPress site URL, plugin slugs and versions.
Terms of Service | Privacy Policy

WPScan (via ResilienceWP API)
Plugin vulnerability data is sourced from the WPScan database. Plugin slugs are sent through the ResilienceWP API. No personal data is sent from your WordPress installation directly to WPScan.
WPScan Terms | WPScan Privacy Policy

Paddle (payments)
Subscription payments are processed by Paddle as merchant of record. Payment data is handled entirely by Paddle and never passes through our servers.
Paddle Terms | Paddle Privacy