內容簡介
Resilience Compliance Manager 是一款專為 WordPress 開發者設計的外掛,幫助他們遵守歐盟網路韌性法案的要求,提供合規性文件、漏洞報告流程及監控工具,確保產品在歐盟市場的合法性。
【主要功能】
• 提供合規性檢查清單,涵蓋 26 項具體要求
• 自動生成所需的安全文件模板
• 漏洞掃描及即時電子郵件通知功能
• 事件中心管理 ENISA 通知
• 支援 CI/CD 管道的 webhook 整合
外掛標籤
開發者團隊
② 後台搜尋「Resilience Compliance Manager」→ 直接安裝(推薦)
原文外掛簡介
If you sell a WordPress plugin or theme to anyone in the EU, the EU Cyber Resilience Act (Regulation 2024/2847) applies to you. It does not matter where you are based or whether your product is free. Agencies distributing custom plugins or themes to EU clients are also in scope.
From September 11, 2026, you need a documented vulnerability reporting process, the required security documents, and a way to monitor your products for known vulnerabilities. ResilienceWP is built for WordPress developers — plugin developers, theme developers, and agencies — to cover all of that in one place.
Non-compliance carries fines up to EUR 15 million or 2.5% of global annual turnover. Authorities can also force non-compliant products off the EU market.
The free plan covers the paperwork side of compliance: checklist, five document templates, and the CRA education guide. Paid plans add automated vulnerability scanning, email alerts, the Incident Center for ENISA notification management, and downloadable compliance reports, all directly inside your WordPress admin. Pro plans also include webhook integrations for CI/CD pipelines and external tools — get real-time notifications when scans complete or vulnerabilities are found.
For pricing, documentation, and more details visit resiliencewp.com.
Compliance Checklist (Free)
26 actionable items, each mapped to a specific CRA article. Five categories cover everything the regulation requires:
Risk Assessment: documenting threats, attack surfaces, and mitigations
Secure Development: secure defaults, no known exploitable vulnerabilities at release
Vulnerability Handling: disclosure policy, coordinated reporting, user notification
Required Documentation: SBOM, Declaration of Conformity, technical file
Post-Market Obligations: ongoing monitoring, security updates, end-of-life policy
Every item has a plain-English explanation of what it means and why it matters. Check items off as you complete them. Progress saves automatically.
Document Generator (Free)
Generate the five documents the CRA requires before you can legally place a product on the EU market:
Vulnerability Disclosure Policy (Article 13(6)): your public process for receiving and handling security reports from researchers
Incident Response Plan: your internal procedure when a vulnerability is discovered or actively exploited
EU Declaration of Conformity: the formal self-declaration that your product meets CRA essential requirements
Software Bill of Materials (SBOM) (Article 13): a structured inventory of your plugin’s components, dependencies, and third-party libraries
security.txt: the machine-readable contact file security researchers use to reach you, placed at /.well-known/security.txt
Fill in your plugin name, contact details, and a few specifics. Download in text or markdown format. No starting from scratch, no lawyer needed for the first draft.
CRA Education Centre (Free)
An article-by-article breakdown of Regulation (EU) 2024/2847, written for developers rather than legal teams. Understand what each obligation actually requires: what counts as “active exploitation,” what an SBOM needs to contain, what the 24-hour reporting window really means.
Vulnerability Scanner (Basic and Pro)
Connect your account to ResilienceWP and it monitors your plugins against the WPScan vulnerability database on a regular schedule. Weekly on Basic, daily on Pro.
You can monitor any plugin by its WordPress.org slug, not just the plugins currently installed on your site. If your plugin depends on WooCommerce, ACF, or any other third-party plugin, you can add those slugs directly and track vulnerabilities in your dependencies. Plugins can also be added directly from your installed plugins list.
The moment a new vulnerability is found, you get an email with the severity rating, CVE ID, affected version range, and fix version if one is available. Back in your WordPress admin, vulnerabilities are grouped by plugin and sorted by date discovered, so you can see at a glance which plugins have open issues and how old they are.
Each vulnerability card shows:
Severity (Critical / High / Medium / Low / Info) with colour coding
CVE identifier linked directly to the NVD entry
The fix version (or “no fix available yet”)
An action hint: whether to update, acknowledge, or open an incident
A button to report the incident directly to the Incident Center
Status tracking lets you mark vulnerabilities as Open, Acknowledged, In Progress, Resolved, or False Positive. Export the full vulnerability list as CSV for your compliance records.
Incident Center (Basic and Pro)
When a vulnerability in your plugin is being actively exploited, the CRA requires you to notify ENISA within 24 hours. The Incident Center tracks that deadline from the moment you log first awareness and guides you through the complete regulatory workflow.
Creating a new incident logs the discovery timestamp and starts all three countdown timers simultaneously:
Early Warning: due within 24 hours of first awareness
Vulnerability Notification: due within 72 hours, with full technical details
Final Report: due within 14 days, including root cause and remediation steps
The case view shows:
Live countdown timers for each notification deadline, turning amber at 6 hours and red when overdue
A completeness score on your incident report so you know exactly what information is still missing
A “Where to Submit” section with direct links to ENISA’s reporting portal, the EU CSIRT network directory, and the CVE Programme at MITRE
A full audit log recording every action taken, every field updated, and every notification submitted
On Pro, you can export the full incident case including all notifications and the complete audit log, formatted for submission to regulators or for your compliance archive.
Dashboard and Compliance Score
The dashboard gives you a live compliance score (0-100) with a transparent breakdown:
-15 points per open critical vulnerability
-7 points per open high vulnerability
-3 points per open medium vulnerability
-20 points per overdue incident (past the 24-hour ENISA deadline)
-5 points per active open incident
It is not a vanity metric. It is a working indicator of where you stand against your CRA obligations at any point in time, with the exact deductions shown so you know what to fix first.
Compliance Reports and SBOM Export (Basic and Pro)
Generate a PDF compliance report for auditors or regulators covering your vulnerability history, resolution timeline, and document status. Export your Software Bill of Materials in standard format, as required by CRA Article 13.
Webhook Integrations (Pro)
Connect ResilienceWP to your CI/CD pipeline, Slack, or any external tool with webhook callbacks. Configure webhook endpoints in Settings and receive real-time HTTP POST notifications with HMAC-SHA256 signed payloads when:
A scheduled or manual scan completes
A new vulnerability is found in one of your monitored plugins
Each webhook delivery is logged with status codes and response data, so you can debug integration issues directly from your WordPress admin. Manage up to 5 webhook endpoints per account, toggle them on and off, and filter by event type.
Who needs to comply
Commercial plugin developers: selling to EU customers through any channel (your site, Envato, direct) makes you the manufacturer under the CRA
WordPress agencies: distributing custom-built plugins to EU clients, even for a single client, counts as placing a product on the market
Freemium developers: having a free version does not exempt you; any commercial activity tied to the product brings you in scope
Theme developers: themes with shortcodes, API integrations, or custom post types may qualify as “products with digital elements”
Key dates
10 December 2024: CRA entered into force. Transition period began.
11 September 2026: Vulnerability and incident reporting obligations apply.
11 December 2027: Full CRA application. All requirements in effect.
Source Code
The admin dashboard is built with React and compiled using Vite. The uncompiled source is included in the plugin ZIP under admin/src/. To rebuild from source:
Install Node.js 20+ and pnpm 10+
Run pnpm install in the plugin directory
Run pnpm build to recompile the admin dashboard
External Services
ResilienceWP API (https://api.resiliencewp.com)
Used for API key verification, vulnerability scanning, incident management, and report generation. Data sent: API key, WordPress site URL, plugin slugs and versions.
Terms of Service | Privacy Policy
WPScan (via ResilienceWP API)
Plugin vulnerability data is sourced from the WPScan database. Plugin slugs are sent through the ResilienceWP API. No personal data is sent from your WordPress installation directly to WPScan.
WPScan Terms | WPScan Privacy Policy
Paddle (payments)
Subscription payments are processed by Paddle as merchant of record. Payment data is handled entirely by Paddle and never passes through our servers.
Paddle Terms | Paddle Privacy
