I sell a freemium plugin — free version on WordPress.org, pro on my site. Which is covered?

Both versions are likely covered. If the free version is distributed as part of your commercial activity — meaning it serves as a gateway to the paid pro version — it falls within CRA scope per Recital 18 of Regulation (EU) 2024/2847. The pro version, sold directly, is clearly within scope. Each version that constitutes a separately identifiable product needs its own documentation.

I distribute my plugin only through WordPress.org as GPL. Does CRA apply?

If you distribute the plugin purely as a hobby with no commercial dimension — no paid support, no pro version, no consulting services built around it — Recital 18 may exclude it. However, if the plugin is part of any commercial activity, even indirectly, CRA applies. The GPL license does not create an exemption. The test is commercial activity, not license type.

My plugin connects to an external API (Stripe, Mailchimp, Google). Am I responsible for their security?

Article 13(5) requires due diligence when integrating third-party components. You document the external API connections in your technical documentation and assess the risks they introduce. You are not responsible for Stripe's or Mailchimp's internal security, but you are responsible for how your plugin handles their API interactions: data validation, error handling, credential storage, and fallback behavior.

WordPress core updates sometimes break plugins. Is that a CRA issue?

Your Annex I, Part II vulnerability handling obligations require you to monitor for and address security issues in your product. If a WordPress core update exposes a vulnerability in your plugin, you must address it within your stated support period. Document your WordPress version compatibility and update policy in the Annex II user information document.

I am a solo developer with no company. Does CRA apply to me?

If you distribute your plugin in the course of commercial activity, CRA applies regardless of your business structure. A sole proprietor selling a premium plugin is a manufacturer under Article 3(13). The simplified technical documentation form mentioned in Recital 93 provides reduced administrative burden for microenterprises. CRACheck's output is compatible with this simplified format.

Is CRACheck a subscription?

No. One-time payment. 30 days of editing, 10 regenerations. The PDF is yours to keep.

Can I request a refund?

Per Article 16(m) of Directive (EU) 2011/83, activating the license constitutes express consent for immediate generation. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during your license period.

You build WordPress plugins in the United States and sell them to European website owners. Under Article 3(1) of Regulation (EU) 2024/2847, a WordPress plugin distributed commercially is a product with digital elements. You are the manufacturer under Article 3(13). Your European customers — or their hosting providers — will start asking for CRA documentation. CRACheck generates it before they ask.

A WordPress plugin is software placed on the market. If you sell it through WordPress.org, CodeCanyon, Gumroad, or your own website to EU users, you are making a product with digital elements available on the EU market in the course of commercial activity (Article 3(22)). The Cyber Resilience Act requires you to produce technical documentation under Article 31 + Annex VII, conduct a cybersecurity risk assessment per Article 13(2)-(3), and issue a declaration of conformity per Article 28 + Annex V. CRACheck generates all 8 documents in 15-25 minutes for €149. Built for developers, not for legal teams.

Generate CRA documentation — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

Art. 3(1)

A WordPress plugin is software = a product with digital elements under the CRA

Module A

Self-assessment conformity procedure for Default category products — no notified body required

€149

Total cost for the complete 8-document CRA dossier for your plugin

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Identify your plugin as a product

Enter plugin name, version, your developer entity (sole proprietor, LLC, Inc.), and distribution channel (WordPress.org, direct sale, marketplace).

Classify under Annex III

Most WordPress plugins classify as Default category: general-purpose software with no privileged OS or network functions. CRACheck confirms this classification.

Describe your plugin architecture

PHP code, JavaScript, REST API calls, third-party libraries (jQuery, React, external APIs), data storage (wp_options, custom tables), and external service connections.

Map security-relevant features

Does your plugin handle user authentication? Process payment data? Store personal information? Execute arbitrary code? These affect your risk assessment scope.

Generate risk assessment

WordPress-specific threat analysis per Article 13(2)-(3): SQL injection via unsanitized inputs, XSS in admin panels, privilege escalation through capability checks, insecure REST API endpoints, vulnerable third-party dependencies.

Produce all 8 documents

Technical documentation, risk assessment, declaration of conformity, user information, CVD policy, ENISA notification template, obligations calendar.

Download and publish

Keep the dossier in your plugin documentation. Reference it in your plugin's readme.txt or on your sales page. Ready for any customer inquiry.

Common mistakes

❌

PRODUCT DEFINITION

"WordPress plugins are not real software products — they are add-ons"

Article 3(1) of Regulation (EU) 2024/2847 defines a product with digital elements as "a software or hardware product and its remote data processing solutions, including software or hardware components being placed on the market separately." A plugin sold separately on a marketplace is a software component placed on the market separately. It is explicitly within the CRA definition.

❌

MANUFACTURER RESPONSIBILITY

"WordPress.org handles security for plugins"

WordPress.org is a distribution platform. It may review plugins for basic security issues, but Article 13 places the technical documentation, risk assessment, and conformity obligations on the manufacturer — the developer who wrote the code. WordPress.org does not produce your Article 31 documentation.

❌

COMMERCIAL OPEN SOURCE

"My plugin is GPL-licensed, so it is open-source and exempt"

Recital 18 of Regulation (EU) 2024/2847 excludes free and open-source software only when developed and supplied outside a commercial activity. If you sell the plugin, offer a pro version, provide paid support, or monetize the plugin in any way, it is supplied in the course of commercial activity and falls within CRA scope regardless of the GPL license.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Confirms your plugin's Default category classification under Annex III. Identifies the Module A self-assessment path.

Technical Documentation

Art. 31 + Annex VII dossier structured for a WordPress plugin: PHP/JS architecture, WordPress hooks and filters used, database interactions, REST API endpoints, and third-party library inventory.

Risk Assessment

WordPress-specific cybersecurity risk analysis: SQL injection, XSS, CSRF, file inclusion, privilege escalation, and dependency vulnerabilities. Mapped to Annex I, Part I requirements.

User Information

Annex II document for plugin users: minimum WordPress version, PHP requirements, known incompatibilities, security update mechanism, data handling disclosure, and developer contact.

Declaration of Conformity

Article 28 + Annex V declaration for your plugin.

CVD Policy

Vulnerability disclosure policy for plugin developers: how researchers report security issues, your response SLA, and coordinated disclosure process.

Notification Template

ENISA notification template per Article 14 for plugin vulnerabilities: zero-day exploits in production WordPress installations, SQL injection discoveries, and authentication bypass findings. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.

Obligations Calendar

Plugin developer timeline: Art. 14 reporting from September 2026, full enforcement December 2027, support period obligations.

Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EUROPEAN REGULATORY ATTORNEY

$5,000–$15,000

4-8 weeks. The attorney will spend the first week understanding what WordPress hooks are. Result: a legal memo, not the structured documentation your customer needs.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history