Don't Move WordPress Admin Capabilities to other Roles

Don't be like me from three years ago. For some reason that's now lost to time I added the capability activate_plugins to the stock Editor role across a bunch of customer sites. The note at the time said it was so that users could clear cache.

Today I spent 3 hours trying to figure out why a user with the Editor role was getting a true value when I checked if they had activate_plugins.

Turns out me of 3 years ago hates future me.

The best way to do something like this is to create a new role, then assign it any extra capabilities it would need. Something like this.

add_action( 'init', 'sfnAddRole' );
    /**
    * Adds new pseudo Admin Role
    *
    * @since 2025.10.22
    *
    * @uses get_role() Returns user role object
    * @uses add_role() Creates new role given args
    * @uses add_cap()  Adds capabilities to role object
    *
    * @return null
    */
    function sfnAddRole()
    {
        $editor = get_role('editor');

        add_role('intranet_admin', 'Intranet Admin', $editor->capabilities);

        // adding extra roles our new admin needs
        $intranet_admin = get_role('intranet_admin');
        $intranet_admin->add_cap('create_users');
        $intranet_admin->add_cap('delete_users');
        $intranet_admin->add_cap('edit_users');
        $intranet_admin->add_cap('list_users');
        $intranet_admin->add_cap('customize');
        $intranet_admin->add_cap('remove_users');

    }

This is pulled from new code on the sites where I need to give my site users extra capabilities without making them WordPress Administrator users. Note I also added intranet_admin as a capability so that I can check for that with current_user_can( 'intranet_admin', $user);.