Prevent or Disable creating new users or changing roles of existing users to Administrator

Imho that’s one of the most important things regarding users:

/**
 * Deny access to 'administrator' for other roles
 * Else anyone, with the edit_users capability, can edit others
 * to be administrators - even if they are only editors or authors
 * 
 * @since   0.1
 * @param   (array) $all_roles
 * @return  (array) $all_roles
 */
function deny_change_to_admin( $all_roles )
{
    if ( ! current_user_can('administrator') )
        unset( $all_roles['administrator'] );

    if ( 
        ! current_user_can('administrator')
        OR ! current_user_can('editor')
    )
        unset( $all_roles['editor'] );

    if ( 
        ! current_user_can('administrator')
        OR ! current_user_can('editor')
        OR ! current_user_can('author')
    )
        unset( $all_roles['author'] );

    return $all_roles;
}
function deny_rolechange()
{
    add_filter( 'editable_roles', 'deny_change_to_admin' );
}
add_action( 'after_setup_theme', 'deny_rolechange' );

Related Posts:

  1. Applying roles to an admin sub-menu (eg Appearance -> Menus)
  2. How to add only a (sub) capacity to an user role?
  3. MySQL error 1449: The user specified as a definer does not exist
  4. Allow member to have access to custom post type only. Permission to only edit their own posts
  5. WP in Docker – cannot install plugin or upgrade WP
  6. when FS_METHOD = ‘direct’ is chosen?
  7. Create custom permissions for user type
  8. WordPress REST API – Permission Callbacks
  9. Add Custom User Capabilities Before or After the Custom User Role has Been Added?
  10. Can’t upload images due to permissions error
  11. Recommended File Permissions
  12. What’s the difference between the permissions “edit_published_posts” and “edit_posts”
  13. Wrong permissions when uploading a file through WordPress | IIS
  14. ftp_nlist() and ftp_pwd() warnings
  15. Remove admin bar for subscribers
  16. Restrict users on multisite WordPress install
  17. What permissions should i have set up for the Database User after i have WordPress set up?
  18. Why is group ownership with rwx permissions not enough?
  19. How to filter the role selector?
  20. How can I limit WordPress editor roles to a specific category?
  21. WordPress Multisite Layered Admins
  22. Editor and contributor roles not correct after adding function
  23. Reapproval for edits and deletion after post is published
  24. Is there a simple way to manage capabilities per user?
  25. Safe to set permissions to 757 temporarily to update via wp-cli?
  26. Can I create users that have access to *some* other users posts instead of all other users posts?
  27. Set default page for user account in admin
  28. How to remove sticky post capability for a specific user role?
  29. Does WordPress have fine-grained view permissions?
  30. How can I have different groups of editors only allowed to edit certain parent+subpages?
  31. current_user_can Not Always Working Properly
  32. Remove wordpress author’s capability to moderate comments on their own posts
  33. Can you set a role as author?
  34. can’t change footer
  35. How do I apply a class to custom menu items based on user roles
  36. permissions access error
  37. wordpress editor role remove all but ‘menus’ in appearance menu
  38. What user/group does WordPress belong to in terms of file permissions?
  39. Enable plugin installs without FTP with user from same group as Nginx/PHP-fpm
  40. Roles for Custom Post Types
  41. Moved my WordPress site and now it can’t read the theme
  42. WordPress folder ownership issues
  43. allow non logged in user to upload images in media library
  44. WordPress php mysql errors – errcode: 13 permission denied
  45. Invalid changeset UUID WordPress
  46. Group ownership permissions don’t allow web server to update WordPress content
  47. Should Apache own /var/www/domain.com directory in WordPress?
  48. custom user role wordpress – grant guest access to edit.php without insert/update/delete
  49. WordPress Permissions on my Local with Docker
  50. Running WordPress as FTP user?
  51. How to to secure WordPress file and folder permissions
  52. Upgrading problem
  53. how to remove some permissions from a shop “manager role” in woocommmerce?
  54. wp-content Folder Permissions (777 OK?)
  55. Is there any way to make myself an admin?
  56. How to prevent plugins from being uninstalled
  57. Reseting file permissions
  58. What is the “user account” for WordPress’ file permissions?
  59. Restrict access to trash, only admin
  60. How to hide wordpress error message?
  61. remove menus for a specific role?
  62. What is this error message?
  63. User Capabilities are not available in WP REST permission callback?
  64. Does it matter if the very first user, usually Admin, does not have a user ID of 1?
  65. Make a single page in WordPress available only for Admin and Subscribers
  66. How to grant user access the page [closed]
  67. Groups and subgroups for permission
  68. WordPress 4.4.2 Update not working
  69. Preventing role reading others posts
  70. solution to prevent specific admins from altering site contents
  71. User Roles: How to hide a plugin from showing in WP-Admin?
  72. Auto-Update Fails
  73. See which user role / capability is needed to use a plugin
  74. How to make file not open to public but javascript file under WordPress folder can load it
  75. Allow Editor access to a certain plugin
  76. Visitors “do not have permission to view this content” on home page only
  77. Permissions Script Not Working
  78. Blank White page issue in WordPress
  79. Permissions working but not working
  80. Mamp Pro File Permissions
  81. Create a custom “you dont have permission” message
  82. Front-end submitted post is published with admin ID as author
  83. WP_Query: Query posts only if their access is restricted to logged user’s role
  84. How to put WordPress website behind the credential for visitors?
  85. User Permissions on custom post type
  86. Downloaded WP but Nginx home page still showing
  87. WordPress install checking permissions of user id 0
  88. Public and Private keys incorrect for user
  89. Force “submit for review” on update?
  90. sufficient permissions to access this page
  91. Admin Post List Only Show One Category
  92. Restrict access to specific content
  93. the_tags only showing when logged in?
  94. Configuring WordPress permissions for easy updates
  95. Plugins Page – “Page disabled by the administrator”
  96. How to give access to programmer/developer to make changes, but prevent undesirable changes? [closed]
  97. How to give access to the particular page in wordpress for specific username/email NOT roles [closed]
  98. WordPress files owner changed silently
  99. How might I enable a user to view Draft pages from a different Author, without the ability to edit?
  100. WP Permission still set to Not Writable after I change the permission for the whole folder and files