Block WordPress Users from Creating and Editing Higher-Level Users

By default, WordPress only allows Administrators to create users.

If you want to allow other roles to create users then you need to give them at least the promote_users, list_users, edit_users and create_users permissions.

However, if you give them those permissions, they can create and edit users in any role. So you could have Editors creating and editing Administrator accounts. That could be a security problem.

Fortunately, PublishPress Permissions has a feature called “Limit User Edit by Level”. This prevents anyone from editing a user with a higher level or assigning a role higher than their own.

  • Go to Permissions, then Settings in your WordPress admin menu.
  • Click Editing.
  • Scroll down to the User Management area:
User Management
User Management

This setting allows you to choose the level of users can can be edited:

  • any user
  • equal or lower role levels
  • lower role levels

WordPress user levels explained #

What does it mean when we say some WordPress users are at a higher level? Every role in WordPress is given a user role level from 1 to 10.

WordPress arrives with five key roles that you'll see on a new site. In the list below, I've ordered them from least important to most important and included their user role level:


How to limit user editing by level #

Let me take you though an example of how this works with PublishPress Permissions Pro.

To start, I created a user with the “Editor” role.

Next, I used the PublishPress Capabilities plugin to make sure that my Editors had these permissions:

This allows them to access the “Users” link in the WordPress admin and also create new user accounts.

Thanks to PublishPress Permissions Pro, this image shows what they will see. This new user can access Editor and Author accounts, but not the Administrator account.

WordPress user can't edit higher levels

And if this user does click the “Add New” button and create a new user, they will not be able to choose the Administrator role.

WordPress user can't create Administrator account