# Pre-Submission Checklist for WordPress.org

## ✅ Security Fixes Completed

### CSRF Protection:
- [x] Added `wp_nonce_field()` to the form
- [x] Added `wp_verify_nonce()` check for POST requests
- [x] Added `wp_verify_nonce()` check for GET reset request
- [x] Used `wp_nonce_url()` for reset link

### Access Control:
- [x] Added `current_user_can('manage_options')` check

### Sanitization and Escaping:
- [x] All input data sanitized via `sanitize_text_field()`
- [x] All output data escaped via `esc_attr()` and `esc_html()`

### Version Updates:
- [x] Plugin version updated to 1.11
- [x] "Tested up to" updated to 6.7
- [x] Changelog entry added

## 📋 Before SVN Commit:

### 1. Local Testing:
- [ ] Install plugin on local WordPress
- [ ] Open settings page (Settings → Instabot)
- [ ] Enter API key and save - should work
- [ ] Change Run Delay and save - should work
- [ ] Click "Reset your API key" - should work
- [ ] Check that there are no PHP errors in logs
- [ ] Login as editor (non-admin) - access should be denied

### 2. Plugin Check:
- [ ] Install Plugin Check Plugin
- [ ] Run check on Instabot plugin
- [ ] Fix all found issues (if any)

### 3. SVN Commit:
```bash
# Update trunk
svn co https://plugins.svn.wordpress.org/instabot trunk
cd trunk

# Copy updated files
# Check changes
svn status

# Add new files (if any)
svn add new_file.php

# Commit changes
svn ci -m "Version 1.11 - Security fix: Added CSRF protection and input sanitization"

# Create tag for version 1.11
svn cp https://plugins.svn.wordpress.org/instabot/trunk https://plugins.svn.wordpress.org/instabot/tags/1.11 -m "Tagging version 1.11"
```

### 4. Email Response to WordPress.org:
- [ ] Send email (see EMAIL_TEMPLATE.md)
- [ ] Specify what was fixed
- [ ] Request re-review

## 📝 Notes:

- **Do not delete** SECURITY_FIX.md and documentation files from your local copy (they will help in the future)
- **Do not commit** these .md files to WordPress.org SVN repository
- Re-review usually takes 1-3 business days
- If other issues are found - fix them and repeat the process

## 🔒 Future Recommendations:

1. Always use nonces for forms
2. Always check access rights (`current_user_can()`)
3. Always sanitize input data
4. Always escape output data
5. Regularly update "Tested up to" version
6. Keep track of WordPress Coding Standards updates

## Useful Links:

- [WordPress Plugin Developer Handbook](https://developer.wordpress.org/plugins/)
- [WordPress Security Best Practices](https://developer.wordpress.org/apis/security/)
- [How to use SVN](https://developer.wordpress.org/plugins/wordpress-org/how-to-use-subversion/)
- [Plugin Check Plugin](https://wordpress.org/plugins/plugin-check/)

Good luck! 🚀