How to Prevent an Author from Publishing in WordPress

A lot of sites employ multiple authors on their WordPress blogs. Even if you own the site, you might not generate the content yourself. However, you might want to review each and every blog post before it gets published. Or maybe you wish to separate out the SEO and content aspects, so you want your SEO guy to optimize the articles before they are ready for the general public. In these and other similar situations, you don’t always want to give an author permission to publish a post. Instead, you want them to be able to submit it for review. Even if you leave specific instructions not to publish an article, it can happen accidentally.

Fortunately, WordPress allows us to add and remove capabilities from certain users and specific roles as well. If you want to maintain the overall functionality of a certain role, but only want to restrict a specific individual, we can do that. The code undergoes a very slight change. Let’s see how to restrict the ability to publish posts for a certain individual user.

Changing Permission on Activation/Deactivation

One important thing to keep in mind when changing role and user permissions is that these are “one-time” instructions. Meaning that you don’t need to execute them each and every time WordPress is loaded. So we need to find a hook or filter that runs just once in a long time. An ideal candidate is when plug-ins or themes are activated and deactivated.

I’d earlier written about how to create our own plug-in for custom PHP code so that we don’t have to modify functions.php and risk losing our changes whenever the theme updates or switches. In this example, I’m going to assume that you have your own custom plug-in. In this, I will remove permissions for a specific user on plug-in activation and restore them on deactivation.

As a benchmark, here is the post edit screen of the user we’re targeting. You can see that the “Publish” button is enabled indicating that they can make a post go live:

Before we are able to actually change the permissions,, we need the user ID.

Go to the “All Users” submenu under “Users” in the WordPress administration dashboard on the left. Here, you will see a list of all users on your WordPress blog. Find the person you want and hover your mouse pointer over the “Edit” link. This should bring up the target URL in the status bar at the bottom. The user ID is one of the query arguments as shown in the screenshot below:

In the example above, my user ID is 5. Now that I have this, removing and adding post publishing permissions on plug-in activation and deactivation is simple. Simply paste the following into your file containing your custom PHP code:

function return_publish_permissions() {
	$user = new WP_User(5);
	$user->add_cap( 'publish_posts' );
}
register_deactivation_hook( __FILE__, 'return_publish_permissions' );

function take_away_publish_permissions() {
	$user = new WP_User(5);
	$user->add_cap('publish_posts',false);
}
register_activation_hook( __FILE__, 'take_away_publish_permissions' );

Make sure you change the number “5” above and replace it with the user ID of the person you’re targeting. This makes use of two hooks called register_activation_hook, and register_deactivation_hook. Both of these point to a custom function with the appropriate name. In that, we create a new user object with the user ID we discovered earlier. Then we simply use the “add_cap” function to make the changes. Note how we use a second parameter called “false” when you want to remove publishing permissions.

If instead you want to change permissions for a role instead of a specific person, we create a role object instead of a user object. In the code above, replace

$user = new WP_User(5);

with

$user = get_role( 'author' );

Where “author” is the name of the role you wish to change. Ideally of course you would also change the parameter $user to something a little more descriptive like $role – but I leave it as it is in the interest of being able to copy/paste easily.

After saving these changes, your custom plug-in file will automatically reactivate itself thereby triggering the first condition removing publishing permissions from user number 5. If they now try and access the WordPress post editing screen, the “Publish” button should be replaced by one called “Submit for Review” as shown in the screenshot here:

And that’s it! Adding and removing specific capabilities for users is easy if you link it up with the activation or deactivation of a specific custom plug-in. There are also ways to link it to the enabling and disabling of themes. But that is another story altogether.