Set the security headers that matter, publish a self-renewing security.txt (RFC 9116), and check your site against NIS2, the EU Cyber Resilience Act (CRA), GDPR and NEN 7510, all from one settings page. Built for general practitioners, psychologists and other healthcare professionals who need a defensible security baseline without a consultant.
The defaults are safe to ship on a live site, and the plugin is built to move your score on the internet.nl test in the right direction. The compliance features are optional and read-only: they verify and document what you already have, and never change your hardening.
Why healthcare sites use this
- One click to a strong header set and a valid security.txt, the two things the internet.nl test and most security reviews check first.
- An optional Compliance tab that turns those headers and your security.txt into evidence, mapped to NIS2 Art. 21, CRA Art. 14 and GDPR clauses.
- A compliance score with a plain-language breakdown, so you know where you stand and what to fix next.
- Available in English and Dutch.
It covers four areas:
Security headers
- Strict-Transport-Security (HSTS) with configurable max-age, includeSubDomains and preload
- Content-Security-Policy with an internet.nl compliant baseline and a Report-Only test mode
- Referrer-Policy with the internet.nl rating shown per value
- X-Content-Type-Options (nosniff)
- X-Frame-Options
- Permissions-Policy
- Active removal of the deprecated X-XSS-Protection and Expect-CT headers
security.txt (RFC 9116)
- Writes /.well-known/security.txt and serves it dynamically when the docroot is read-only
- Refreshes the Expires field automatically so it never lapses and stays under one year
- Fields for Contact, Encryption, Policy, Acknowledgments, Hiring (careers), CSAF, Preferred-Languages and Canonical
- Paste your PGP public key and the plugin hosts it at /.well-known/openpgp-key.txt and links it as Encryption automatically
- A free-text message to researchers and an optional signature line
- CRLF line endings and a valid Canonical URL, exactly as the internet.nl test expects
Compliance scanner (optional, new in 2.2.0)
- A Compliance tab with a single compliance score and a red / amber / green band
- CRA plugin readiness: checks each active plugin against the WordPress.org directory for update currency, compatibility and abandonment
- GDPR checks: detects third-party scripts, forms and consent tooling, and cross-references your Content-Security-Policy
- NIS2 Art. 21 signals: encryption in transit, MFA, backups, WAF, activity logging and auto-updates
- Site health checks: security.txt validity, live header verification, WordPress and PHP currency, TLS, debug mode, XML-RPC and REST user exposure
- Live verification that your configured security headers are actually being sent, not just set
- Security headers and security.txt shown as compliance evidence, mapped to the relevant NIS2, CRA and GDPR clauses
- One-click documents generated from your own settings: a Vulnerability Disclosure Policy, a CycloneDX SBOM, an EU and NEN 7510 conformity declaration, and a printable compliance report
Gravity Forms (optional)
- Block submissions from one or more email domains, with a custom error message
- The section only appears when Gravity Forms is active
This plugin configures headers and a security.txt and helps you document your posture. It is one building block toward NIS2, CRA, GDPR and NEN 7510, not a full compliance programme, and the generated documents are self-assessment starting points, not certifications. It cannot change DNS or server level items such as IPv6, the CAA record, the TLS key-exchange hash or DANE. Those are handled at your host or DNS provider.
External Services
The core hardening features (security headers and security.txt) make no external requests. The optional Compliance tab, introduced in 2.2.0, uses the following external services only when you run a scan (manually or via the optional scheduled scan). Nothing here runs on normal front-end page loads.
WordPress.org Plugins API
When a compliance scan runs, the plugin looks up each active plugin in the WordPress.org Plugins directory to check update currency and compatibility.
- What is sent: the public plugin slug only (for example, “akismet”). No personal data, no site data.
- When: only during a manual or scheduled compliance scan.
- Endpoint: https://api.wordpress.org/plugins/info/1.0/{slug}.json and https://api.wordpress.org/core/version-check/1.7/
- Caching: results are cached in a transient for 12 hours.
- This is a first-party WordPress.org endpoint. Terms: https://wordpress.org/about/privacy/
Loopback self-request (header and REST probe)
When a compliance scan runs, the plugin makes a request to its own home URL to verify that the configured security headers are actually being sent and to check whether the REST users endpoint exposes user data.
- What is sent: a normal HTTP GET to the site’s own home URL. No third-party service is contacted.
- When: only during a manual or scheduled compliance scan, or admin/cron context. Never on normal front-end page loads.
- Timeout: short (8 seconds). Result cached in a transient for 10 minutes.
- If the request fails (some hardened hosts block self-requests), the plugin falls back to showing configured values and reports that live verification was unavailable.
