wp cap remove
Overview
Revoke one or more capabilities from a WordPress role. Changes take effect immediately for all users with that role — use this to enforce the principle of least privilege.
What It Does
wp cap remove calls WP_Role::remove_cap() for each specified capability, marking it as removed from the role's capabilities array.
Syntax
wp cap remove <role> <cap>...
Basic Usage
Remove a single capability
wp cap remove editor manage_options
Remove multiple capabilities
wp cap remove contributor upload_files publish_posts
Real-World Scenarios
Scenario 1: Harden the contributor role
# Prevent contributors from uploading files
wp cap remove contributor upload_files
# Verify
wp cap list contributor --allowed | grep upload_files || echo "Removed"
Scenario 2: Security hardening — remove install rights from editors
wp cap remove editor install_plugins activate_plugins update_plugins delete_plugins
Scenario 3: Post-plugin cleanup — remove plugin-added caps from wrong role
PLUGIN_CAPS="manage_woocommerce view_admin_dashboard"
for cap in $PLUGIN_CAPS; do
wp cap remove subscriber "$cap"
done
Best Practices
- Use
wp cap list ROLE --allowedbefore removing to confirm the cap is present. - Test on staging before removing capabilities from roles on production.
- After removal, verify affected users cannot access the removed feature.
Troubleshooting
| Problem | Cause | Fix |
|---|---|---|
| Capability still active after remove | Role cached or plugin re-adds it | Flush cache then check if plugin is re-granting it |
| Users still have access | User has a secondary role with the cap | Check all roles with wp user get USER --field=roles |
Quick Reference
wp cap remove <role> <capability> # Remove one cap
wp cap remove <role> cap1 cap2 # Remove multiple
wp cap list <role> --allowed # Verify removal
Next Steps
wp cap add— add capabilities to a role.wp cap list— audit what capabilities remain.wp role reset— restore all built-in capabilities to defaults.