We have a WordPress site where we have external authors for whom we have created usernames at the Editor level. We want these editors to be able to create new posts and modify their own posts, but occasionally we have posts in progress that we’d rather keep more private.
It is a very small pool of users, and an even smaller number of posts to “protect,” so I am okay with any technique that requires explicit GRANT for our own users or explicit DENY for the external users. DENY would be easier of course, but I am not going to get fussy.
If you look at WordPress’s explanation of Roles and Capabilities, you will see that the correct role you should have assigned them is Author.
That being said, if you for some reason don’t want to change them to Authors, you can alter the capabilities that a role has. See the full list of Editor capabilities here.
This will permanently remove that capability, so after the wp-admin of the site is loaded once, you can remove these lines or comment them out.