CoursePress Pro: Students can grant Instructor Permissions from Wordpress back end.

Students can edit their profile using the WordPress back end and switch the "Instructor Capabilities" option from Revoked to Granted. This is a huge security flaw.

I can disable the admin menu bar with CSS, but if the user knows how to type ".../wp-admin" they can still access the admin panel.

Ideally I'd like to disable the student's ability to access the WordPress back end admin panel at all (not just hide it). Please advise.