WordPress.org

English (South Africa)

Get WordPress
WordPress.org

Plugin Directory

Erdo CRA Compliance – EU Cyber Resilience Act, GDPR & NIS2 Scanner for WordPress

Erdo CRA Compliance – EU Cyber Resilience Act, GDPR & NIS2 Scanner for WordPress

By Erdinc Bulat
Download

Description

Erdo CRA Compliance helps WordPress site owners and plugin developers prepare for EU regulatory deadlines — the CRA Vulnerability Disclosure Policy obligation (September 11, 2026) and full CRA compliance (December 11, 2027).

What it does

  • Plugin Risk Scanner — Scans all active plugins against CRA readiness criteria: last updated, WordPress version lag, PHP requirements, support health, and closed/removed plugin detection.
  • GDPR Scanner — Detects third-party scripts, external resource connections, and data-handling risk signals on your site.
  • NIS2 Scanner — Checks site-level security posture against NIS2 Article 21 requirements: HTTPS, MFA, backups, WAF, activity logging, and auto-updates.
  • Compliance Dashboard — Visual score ring, per-framework risk counts, and actionable guidance in one screen.
  • PDF Compliance Report — Download a formatted PDF report covering all scan results, executive summary, and prioritised recommendations.
  • VDP Generator — Generate a ready-to-publish Vulnerability Disclosure Policy document pre-filled with your site details.
  • SBOM Generator — Create a CycloneDX 1.4 JSON Software Bill of Materials covering WordPress core, active plugins, and active theme.
  • security.txt — Automatically serve an RFC 9116-compliant /.well-known/security.txt on your site.
  • Conformity Declaration Template — A structured self-assessment checklist covering CRA Articles 10/11/14, GDPR Articles 25/32/30, and NIS2 Articles 21/23.

CRA Deadlines

  • September 11, 2026 — Vulnerability Disclosure Policy (VDP) obligation begins. This plugin generates and serves your VDP automatically.
  • December 11, 2027 — Full CRA compliance + CE marking required. Penalties up to 15M EUR or 2.5% of global turnover.

Legal Disclaimer

This plugin provides automated analysis tools and document templates to assist with EU regulatory preparation. It does not constitute legal advice and does not guarantee regulatory compliance with the CRA, GDPR, NIS2, or any other regulation. All assessments, scores, and generated documents (VDP, SBOM, security.txt, Conformity Declaration) are starting points and templates only. Consult a qualified legal or compliance professional before relying on any output for regulatory purposes.

External Services

This plugin connects to the following third-party services. Each is documented below with what it is used for, what data is sent, when, and links to the relevant terms and privacy policy.

WordPress.org Plugins API

This plugin makes HTTP requests to the WordPress.org Plugins API (api.wordpress.org/plugins/info/) to retrieve metadata for installed plugins (last updated, tested WordPress version, PHP requirements, active installs). This request is made only during a manual or scheduled scan. No user data is sent — only plugin slugs are included in the request. Responses are cached for 12 hours per plugin using WordPress transients to minimise API requests. See the WordPress.org privacy policy.

Patchstack Vulnerability Database (optional)

This plugin can optionally connect to the Patchstack vulnerability database (patchstack.com/database/api/v2) to check installed plugins against known security vulnerabilities (CVEs). This connection is opt-in and disabled by default — it is only made if the site owner enters their own Patchstack API key on the plugin’s Settings page.

When enabled, the plugin sends the configured API key (for authentication) and the slugs/versions of installed plugins (to look up known vulnerabilities) during a manual or scheduled scan. Vulnerability responses are cached for 6 hours using WordPress transients. No personal or visitor data is sent. This service is provided by Patchstack OÜ: Terms of Service, Privacy Policy.

GDPR Scanner — third-party script detection

The GDPR scanner module includes a list of known third-party script domains (e.g. Google Analytics, Facebook Pixel, Intercom, HubSpot) used to detect whether your site is loading scripts from these services. This is a local pattern match against script URLs already enqueued on your own site — the plugin itself does not contact, query, or send any data to these third-party services.

Privacy

This plugin does not collect, store, or transmit any personal data to external services beyond the requests described above.

Screenshots

Main compliance dashboard with score ring and per-framework risk cards.
Main compliance dashboard with score ring and per-framework risk cards.
Scan results table with filter tabs for CRA, GDPR, and NIS2 findings.
Scan results table with filter tabs for CRA, GDPR, and NIS2 findings.
Developer Tools — VDP, SBOM, security.txt, and Conformity Declaration generators.
Developer Tools — VDP, SBOM, security.txt, and Conformity Declaration generators.
PDF compliance report download.
PDF compliance report download.

Installation

  1. Upload the erdo-cra-compliance folder to /wp-content/plugins/.
  2. Activate the plugin through the Plugins screen in WordPress.
  3. Navigate to CRA Compliance in the WordPress admin sidebar.
  4. Click Run Scan to perform your first compliance scan.

FAQ

What is the EU Cyber Resilience Act and does it affect my WordPress site?

The EU Cyber Resilience Act (CRA) is a regulation that requires manufacturers of products with digital elements — including software and websites sold or used in the EU — to meet cybersecurity standards throughout the product lifecycle. If you sell products or services in the EU, run a WordPress site that processes EU user data, or develop WordPress plugins, the CRA likely applies to you. The first deadline (Vulnerability Disclosure Policy) is September 11, 2026. Full compliance is required by December 11, 2027.

How do I add a Vulnerability Disclosure Policy to my WordPress site?

Use the VDP Generator in Erdo CRA Compliance. It creates a ready-to-publish policy document pre-filled with your site details. The plugin also automatically serves it at the standard URL /.well-known/security.txt so security researchers can find it without you touching your server configuration.

How do I add a security.txt file to WordPress?

Erdo CRA Compliance automatically serves an RFC 9116-compliant security.txt at yourdomain.com/.well-known/security.txt. You do not need to create or upload the file manually — the plugin handles it as soon as you activate it and fill in the Settings tab.

What is an SBOM and why do I need one for EU CRA compliance?

An SBOM (Software Bill of Materials) is a machine-readable inventory of all software components in your product. The CRA requires vendors to provide an SBOM to document what their software is made of. Erdo CRA Compliance generates a CycloneDX 1.4 JSON SBOM covering WordPress core, all active plugins, and your active theme — ready to provide to customers or regulators.

How do I check if my WordPress plugins are CRA-compliant?

Run the Plugin Risk Scanner in Erdo CRA Compliance. It checks every active plugin against CRA readiness criteria: last updated date, WordPress version lag, PHP requirements, support health, and whether the plugin has been closed or removed from WordPress.org. Each plugin receives a risk rating (LOW / MEDIUM / HIGH) with specific reasons and recommended actions.

How do I prepare my WordPress site for GDPR?

The GDPR Scanner in Erdo CRA Compliance detects third-party scripts loading on your site — Google Analytics, Facebook Pixel, HubSpot, Intercom, and others — and flags them as potential data-handling risks. You get a list of external domains your site contacts, so you can audit your cookie consent setup and data processing agreements.

Does this plugin guarantee EU compliance?

No. This plugin provides automated analysis and document templates to help you assess and document your compliance posture. All assessments and generated documents should be reviewed by a qualified legal or compliance professional before regulatory use.

What is the EU Cyber Resilience Act?

The CRA is an EU regulation requiring manufacturers of “products with digital elements” (including software) to meet cybersecurity requirements throughout the product lifecycle — including vulnerability disclosure, security updates, and SBOM documentation.

Does the plugin work with multisite?

The plugin is designed for single-site installations. Multisite support is not included in this version.

What does the compliance score mean?

The score (0–100) is calculated as: 100 minus 10 points per HIGH risk finding and 5 points per MEDIUM risk finding, floored at 0. It is an indicative benchmark, not a regulatory certification.

Why is a plugin showing HIGH risk?

Common reasons: not updated for over 2 years, tested on a WordPress version 2+ major releases behind current, requires an end-of-life PHP version, or has been removed from WordPress.org.

How are third-party scripts detected for GDPR?

The plugin captures enqueued script sources on frontend page loads and stores them temporarily. This allows the GDPR scanner to identify external domains even when running in the admin context.

Reviews

Makes the CRA homework actually approachable

June 17, 2026
I’m based in the EU, so the CRA deadlines have been quietly stressing me out for months. Every time I tried to figure out what I actually needed to do I just bounced off walls of legal text. This is the first thing that broke it down into something I could genuinely act on. You run a scan and it lays out where each of your plugins stands, flags the abandoned or outdated ones, and gives you a clear score per framework instead of a vague “you might have a problem somewhere.” The generators are the part I didn’t expect to like as much as I do. Being able to spit out a ready VDP, a proper CycloneDX SBOM, and a valid security.txt in a couple of clicks saved me hours I’d otherwise have spent piecing those together by hand. It’s also refreshingly upfront that it’s a starting point and not legal advice, which is exactly the right tone for this kind of thing. And the dev is clearly responsive and actually cares about getting it right. For a free plugin tackling something this messy, genuinely impressive. Looking forward to seeing where it goes.
Read all 1 reviews

Contributors & Developers

“Erdo CRA Compliance – EU Cyber Resilience Act, GDPR & NIS2 Scanner for WordPress” is open source software. The following people have contributed to this plugin.

Contributors

Translate “Erdo CRA Compliance – EU Cyber Resilience Act, GDPR & NIS2 Scanner for WordPress” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Change log

1.0.0

  • Initial release.
  • CRA plugin scanner with risk scoring (last updated, WP lag, PHP requirements, support health, closed plugin detection).
  • GDPR third-party script scanner with frontend capture via wp_footer hook.
  • NIS2 Article 21 scanner (HTTPS, MFA, backup, WAF, activity log, auto-updates).
  • Compliance dashboard with animated SVG score ring.
  • PDF report generation (FPDF, 5-section report).
  • VDP policy generator.
  • CycloneDX 1.4 SBOM generator.
  • RFC 9116 security.txt (auto-served at /.well-known/security.txt).
  • Conformity Declaration template.
  • REST API endpoint: GET /wp-json/erdo-craguard/v1/sbom.
  • Daily and weekly wp_cron scan schedules.

Meta

Ratings

5 out of 5 stars.

Your review

See all reviews

Contributors

Support

Got something to say? Need help?

View support forum