I am doing the code work for a website that someone else will be managing. I'm worried that just telling them not to use the code editor for appearance or plugins won't be enough to stop them from doing so.
I've tried the standard WordPress add_role( $role, $title, $capability ) but I can't figure out what combination of terms will allow them to edit pages, posts, post types, add or remove plugins, add and remove users, AND edit the WordPress customizer. I also want to make sure this user role can't delete users with the administrator role.
This didn't do the job:
add_role( 'sub_admin_role', 'Sub-Admin', array( 'level_7' => true ) );
I am doing the code work for a website that someone else will be managing. I'm worried that just telling them not to use the code editor for appearance or plugins won't be enough to stop them from doing so.
I've tried the standard WordPress add_role( $role, $title, $capability ) but I can't figure out what combination of terms will allow them to edit pages, posts, post types, add or remove plugins, add and remove users, AND edit the WordPress customizer. I also want to make sure this user role can't delete users with the administrator role.
This didn't do the job:
add_role( 'sub_admin_role', 'Sub-Admin', array( 'level_7' => true ) );
- if it is their site, it is not up to you to tell them what to do with it and how to use it – Mark Kaplun Commented Apr 22, 2017 at 6:50
2 Answers
Reset to default 1Use this plugin
https://wordpress/plugins/advanced-access-manager/
This plugin is all you need to manage access to your website frontend and backend for any user, role or visitors.
Activate the plugin. Navigate to Capabilities and remove following two capabilities for your desired role.
edit_themes edit_plugins
Your code isn't working because WordPress deprecated user levels in version 3.0 (June 2010).
What you want to do is create a plugin that upon activation, creates a new role for the owner of the site that is a clone of the administrator role, but cannot edit plugin or theme files. Those capabilities are edit_plugins and edit_themes respectively.
Then, upon deactivation, you want to reassign the owners into the administrator role. This way, they can fully regain control of their website by simply deactivating the plugin.
/**
* Plugin Name: WPSE 264483
*/
//* On activation, create an owner role that can do everything but edit themes/plugins
register_activation_hook( __FILE__, 'wpse_264483_activation' );
function wpse_264483_activation() {
$administrator = get_role( 'administrator' );
$owner = clone( $administrator );
unset( $owner->capabilities[ 'edit_plugins' ] );
unset( $owner->capabilities[ 'edit_themes' ] );
add_role( 'owner', 'Owner', $owner->capabilities );
}
//* On deactivation, re-assign all owners to administrators and remove owner role
register_deactivation_hook( __FILE__, 'wpse_264483_activation' );
function wpse_264483_deactivation() {
$owners = get_users( [
'role' = 'owner',
] );
foreach( $owners as $owner ) {
$owner->add_role( 'administrator' );
$owner->remove_role( 'owner' );
}
remove_role( 'owner' );
}
I've enabled a similar plugin for clients upon request, but I think it's a bad idea to do so without their full knowledge and consent. It is their website after all.