Over the years since releasing the first version of the Members plugin, I’ve had one rule I’ve preached over and over and over: Roles Are Not Hierarchical.
In WordPress, this is actually true. Despite the appearance of a hierarchy in the default roles (Administrator, Editor, Author, Contributor, Subscriber), there’s not a true hierarchy there. Roles simply can or cannot perform some particular task based on the capabilities given to them.
This comes as a huge shock to many users who install my plugin and think that they can give Editors, for example, the ability to create new users. Little do they know that this capability allows Editors to create an Administrator. It doesn’t take a genius to figure out that could lead to some less-than-great consequences. For the sort of sites that need role management, this is typically a serious security concern.
That’s where the Members – Role Hierarchy plugin comes in. It creates a hierarchical role system and allows you to assign roles a “position” in the hierarchy. It eliminates the issue of low-level users being able to create, edit, delete, or promote users higher than their own role.
How the plugin works
On the edit or new role screen, there’s a new meta box labeled “Role Position”. Simply assign a number to the role to give it a position in the hierarchy. The default is 0. The higher the number, the higher role is in the hierarchy.
There’s only one setting in the plugin, which you can find via the “Settings > Members” screen in the admin. The “Role Hierarchy” setting on that screen will allow you to choose whether users can manage users/roles “lower” or “lower or equal” to their own role.
Get the plugin
You can grab a copy of the plugin from the following places:
A special thanks
I’ve always had it in the back of my mind to build this add-on plugin. However, I never seemed to have the time or financial incentive to make it happen. So, I jumped at the chance to build this for a client who was willing to let me release this back as a plugin to the greater WP community.
The client wishes to remain anonymous, but I wanted to at least write a quick note to acknowledge his part in making this plugin happen.