How to Block WordPress Users from Creating Higher-Level Users

One PublishPress user asked us this question:

I want Editors on our site to create new Author accounts, but NOT be able to create Administrator accounts. Is that possible?

Yes, it is possible with the PressPermit Pro plugin.

Some background on creating users in WordPress

By default, WordPress only allows Administrators to create users.

If you want to allow people in other roles (for example, “Editor”) to create users then you need to give them at least the list_users, edit_users and create_users permissions.

However, if you give them those permissions, they can create and edit users in any role. So you could have Editors creating and editing Administrator accounts. That could be a security problem.

Fortunately, PressPermit Pro has a feature called “Limit User Edit by Level”. If enabled, this prevents anyone from editing a user with a higher level or assigning a role higher than their own.

Limit WordPress user edit by level

WordPress user levels explained

What does it mean when we say some WordPress users are at a higher level?

WordPress arrives with 5 key roles that you’ll see on a new site. These roles are in a hierarchy from least important to most important:

  • Subscriber
  • Contributor
  • Author
  • Editor
  • Administrator

Click below to find out more about each role:


How to limit user editing by level

Let me take you though an example of how this works with PressPermit Pro.

To start, I created a user with the “Editor” role.

Next, I used the Capability Manager Enhanced plugin to make sure that my Editors had these permissions:

This allows them to access the “Users” link in the WordPress admin and also create new user accounts.

Thanks to PressPermit Pro, this image shows what they will see. This new user can access Editor and Author accounts, but not the Administrator account.

WordPress user can't edit higher levels

And if this user does click the “Add New” button and create a new user, they will not be able to choose the Administrator role.

WordPress user can't create Administrator account

Leave a Reply

Your email address will not be published. Required fields are marked *

Professional publishing plugins for WordPress! Get PublishPress

[i]
[i]