Prohibiting Users from Deleting Posts of Certain Post Types in WordPress

We once developed an order system with WordPress. When a user submits an order on the frontend, the order information is saved in a custom post type. Customer service can view and process orders in the backend. To prevent customer service from accidentally deleting this order information, we need to disable the deletion feature for this order type, allowing customer service only to view and edit, but not delete, orders. We achieved this requirement with the following code.

Removing User Permission to Delete a Certain Post Type

add_filter( 'map_meta_cap', function ( $caps, $cap, $user_id, $args )
{
    // If it's not delete_post permission, do nothing
    if( 'delete_post' !== $cap || empty( $args[0] ) ){
        return $caps;
    }

    // If it's the specified post type, modify permission to do_not_allow
    if( in_array( get_post_type( $args[0] ), [ 'messages', 'transaction' ], true ) ){
        $caps[] = 'do_not_allow';
    }

    return $caps;
}, 10, 4 );

After removal, only the “Edit” feature remains in the post row action bar, as shown in the image below:

Removing the “Move to Trash” Link in Bulk Operations

Although we removed the user’s permission to delete the post type, the “Move to Trash” feature in the post type list bulk edit functionality still remains (as shown in the image below). If we select several posts, choose the “Move to Trash” operation, and click Apply, WordPress will report an error telling us we don’t have permission to delete the posts.

We can remove this feature with the following code:

add_filter('bulk_actions-edit-message', function ($actions)
{
    unset($actions[ 'trash' ]);

    return $actions;
});

Besides prohibiting users from deleting posts, we can also prohibit users from performing other operations—just restrict the corresponding permissions as needed. For the list of WordPress permissions, please refer to the official documentation: WordPress Roles and Capabilities. If you need users with other roles to be able to delete orders, you can add a permission check in the code above; friends in need can edit it themselves, and I won’t list it separately here.