The problem
The EU Cyber Resilience Act (CRA) deadline is September 11, 2026 —
less than 5 months away.
After that date, WordPress plugin developers and site owners in the EU
must follow formal vulnerability handling procedures. Non-compliant
products can be removed from the EU market. Fines reach up to
€15 million or 2.5% of global annual turnover.
Most WordPress site owners have no idea which of their plugins are
outdated or have known vulnerabilities.
What I built
CRA Scanner — a free WordPress plugin that scans your active
plugins and shows a clear compliance status for each one.
It checks:
- When each plugin was last updated (6+ months = warning, 12+ = risk)
- Known vulnerabilities via WPScan API — filtered to show only issues affecting your current installed version, not historical ones
- Whether PHP version requirements are declared
The result is a simple dashboard:
![CRA Scanner screenshot]
Why I built it
I couldn't find a simple free tool that just scans your plugins and
gives you a clear picture. Most solutions are either paid, overly
complex, or focused on documentation rather than actual plugin health.
Get it
- GitHub: https://github.com/gritzon/cra-scanner-wp
- WordPress.org: pending review (submitted April 2026)
Free and open source under GPL-2.0.
Feedback welcome
This is v0.2.0 — early but functional. If you try it and find issues
or have suggestions, open an issue on GitHub or drop a comment below.
Top comments (0)