diff --git a/includes/admin/class-admin.php b/includes/admin/class-admin.php
index d2ca2d03..91ff1609 100644
--- a/includes/admin/class-admin.php
+++ b/includes/admin/class-admin.php
@@ -1081,7 +1081,6 @@ if ( ! class_exists( 'um\admin\Admin' ) ) {
 			return $value;
 		}
 
-
 		/**
 		 * @param $value
 		 *
@@ -1092,6 +1091,15 @@ if ( ! class_exists( 'um\admin\Admin' ) ) {
 			return $value;
 		}
 
+		/**
+		 * @param $value
+		 *
+		 * @return array
+		 */
+		public function sanitize_wp_capabilities_assoc( $value ) {
+			$value = array_map( 'sanitize_key', array_filter( $value ) );
+			return $value;
+		}
 
 		/**
 		 * Sanitize role meta fields when wp-admin form has been submitted
diff --git a/includes/admin/class-secure.php b/includes/admin/class-secure.php
index 262d4ee2..5bd1289d 100644
--- a/includes/admin/class-secure.php
+++ b/includes/admin/class-secure.php
@@ -206,8 +206,6 @@ if ( ! class_exists( 'um\admin\Secure' ) ) {
 			$disabled_capabilities      = UM()->options()->get_default( 'banned_capabilities' );
 			$disabled_capabilities_text = '<strong>' . implode( '</strong>, <strong>', $disabled_capabilities ) . '</strong>';
 
-			$saved_options = UM()->options()->get( 'banned_capabilities' );
-
 			$scanner_content   = '<button class="button um-secure-scan-content">' . esc_html__( 'Scan Now', 'ultimate-member' ) . '</button>';
 			$scanner_content  .= '<span class="um-secure-scan-results">';
 			$scanner_content  .= esc_html__( 'Last scan:', 'ultimate-member' ) . ' ';
@@ -228,11 +226,11 @@ if ( ! class_exists( 'um\admin\Secure' ) ) {
 					'id'               => 'banned_capabilities',
 					'type'             => 'multi_checkbox',
 					'multi'            => true,
+					'assoc'            => true,
 					'checkbox_key'     => true,
 					'columns'          => 2,
 					'options_disabled' => $disabled_capabilities,
 					'options'          => $banned_capabilities,
-					'value'            => ! empty( $saved_options ) ? array_keys( $saved_options ) : $disabled_capabilities,
 					'label'            => __( 'Banned Administrative Capabilities', 'ultimate-member' ),
 					// translators: %s are disabled default capabilities that are enabled by default.
 					'description'      => sprintf( __( 'All the above are default Administrator & Super Admin capabilities. When someone tries to inject capabilities to the Account, Profile & Register forms submission, it will be flagged with this option. The %s capabilities are locked to ensure no users will be created with these capabilities.', 'ultimate-member' ), $disabled_capabilities_text ),
@@ -359,7 +357,6 @@ if ( ! class_exists( 'um\admin\Secure' ) ) {
 		 *
 		 */
 		public function on_settings_save() {
-
 			if ( isset( $_POST['um_options']['display_login_form_notice'] ) && ! empty( $this->need_flush_meta ) ) {  //phpcs:ignore WordPress.Security.NonceVerification
 				global $wpdb;
 				$wpdb->query(
diff --git a/includes/admin/core/class-admin-forms-settings.php b/includes/admin/core/class-admin-forms-settings.php
index fb115a66..ba52b817 100644
--- a/includes/admin/core/class-admin-forms-settings.php
+++ b/includes/admin/core/class-admin-forms-settings.php
@@ -54,4 +54,4 @@ if ( ! class_exists( 'um\admin\core\Admin_Forms_Settings' ) ) {
 		}
 
 	}
-}
\ No newline at end of file
+}
diff --git a/includes/admin/core/class-admin-forms.php b/includes/admin/core/class-admin-forms.php
index 4b1a7b51..21bb22d9 100644
--- a/includes/admin/core/class-admin-forms.php
+++ b/includes/admin/core/class-admin-forms.php
@@ -1214,9 +1214,16 @@ if ( ! class_exists( 'um\admin\core\Admin_Forms' ) ) {
 				$html                   .= '<span class="um-form-fields-section" style="width:' . floor( 100 / $columns ) . '% !important;">';
 
 				foreach ( $section_fields_per_page as $k => $title ) {
-					$id_attr      = ' id="' . esc_attr( $id . '_' . $k ) . '" ';
-					$for_attr     = ' for="' . esc_attr( $id . '_' . $k ) . '" ';
-					$name_attr    = ' name="' . $name . '[' . $k . ']" ';
+					$id_attr  = ' id="' . esc_attr( $id . '_' . $k ) . '" ';
+					$for_attr = ' for="' . esc_attr( $id . '_' . $k ) . '" ';
+
+					if ( ! empty( $field_data['assoc'] ) ) {
+						$name_attr  = ' name="' . esc_attr( $name ) . '[]" ';
+						$value_attr = ' value="' . esc_attr( $k ) . '" ';
+					} else {
+						$name_attr  = ' name="' . esc_attr( $name ) . '[' . esc_attr( $k ) . ']" ';
+						$value_attr = ' value="1" ';
+					}
 					$disabed_attr = '';
 
 					$data = array(
@@ -1240,7 +1247,7 @@ if ( ! class_exists( 'um\admin\core\Admin_Forms' ) ) {
 					}
 
 					$html .= "<label $for_attr>
-						<input type=\"checkbox\" " . checked( in_array( $k, $values, true ), true, false ) . "$disabed_attr $id_attr $name_attr $data_attr value=\"1\" $class_attr>
+						<input type=\"checkbox\" " . checked( in_array( $k, $values, true ), true, false ) . "$disabed_attr $id_attr $name_attr $data_attr $value_attr $class_attr>
 						<span>$title</span>
 					</label>";
 				}
diff --git a/includes/admin/core/class-admin-settings.php b/includes/admin/core/class-admin-settings.php
index ef8a95c9..33a9d833 100644
--- a/includes/admin/core/class-admin-settings.php
+++ b/includes/admin/core/class-admin-settings.php
@@ -954,7 +954,7 @@ if ( ! class_exists( 'um\admin\core\Admin_Settings' ) ) {
 						'sanitize' => 'bool',
 					),
 					'banned_capabilities'                   => array(
-						'sanitize' => array( UM()->admin(), 'sanitize_wp_capabilities' ),
+						'sanitize' => array( UM()->admin(), 'sanitize_wp_capabilities_assoc' ),
 					),
 					'secure_notify_admins_banned_accounts'  => array(
 						'sanitize' => 'bool',
diff --git a/includes/common/class-secure.php b/includes/common/class-secure.php
index c3bb3ab2..73e57a23 100644
--- a/includes/common/class-secure.php
+++ b/includes/common/class-secure.php
@@ -20,6 +20,7 @@ if ( ! class_exists( 'um\common\Secure' ) ) {
 
 		public function hooks() {
 			add_action( 'wp', array( $this, 'schedule_events' ) );
+			add_filter( 'um_get_option_filter__banned_capabilities', array( $this, 'add_default_capabilities' ) );
 		}
 
 		/**
@@ -236,5 +237,21 @@ if ( ! class_exists( 'um\common\Secure' ) ) {
 			update_user_meta( $user->ID, 'um_user_blocked', 'suspicious_activity' );
 			update_user_meta( $user->ID, 'um_user_blocked__timestamp', current_time( 'mysql' ) );
 		}
+
+		/**
+		 * Always add default banned capabilities.
+		 *
+		 * @param mixed $option_value
+		 *
+		 * @return mixed
+		 *
+		 * @since 2.6.8
+		 */
+		public function add_default_capabilities( $option_value ) {
+			if ( is_array( $option_value ) ) {
+				$option_value = array_merge( $option_value, UM()->options()->get_default( 'banned_capabilities' ) );
+			}
+			return $option_value;
+		}
 	}
 }
diff --git a/includes/frontend/class-secure.php b/includes/frontend/class-secure.php
index bbc5f401..dfcb51de 100644
--- a/includes/frontend/class-secure.php
+++ b/includes/frontend/class-secure.php
@@ -196,23 +196,18 @@ if ( ! class_exists( 'um\frontend\Secure' ) ) {
 			// Fetch the WP_User object of our user.
 			um_fetch_user( $user_id );
 			$has_admin_cap   = false;
-			$arr_banned_caps = array();
+			$arr_banned_caps = UM()->options()->get( 'banned_capabilities' );
 
-			if ( UM()->options()->get( 'banned_capabilities' ) ) {
-				$arr_banned_caps = UM()->options()->get( 'banned_capabilities' );
-			}
-
-			// Add locked administrative capabilities.
-			$arr_banned_caps = array_merge( $arr_banned_caps, UM()->options()->get_default( 'banned_capabilities' ) );
-
-			foreach ( $arr_banned_caps as $cap ) {
-				/**
-				 * When there's at least one administrator cap added to the user,
-				 * immediately revoke caps and mark as rejected.
-				 */
-				if ( $user->has_cap( $cap ) ) {
-					$has_admin_cap = true;
-					break;
+			if ( is_array( $arr_banned_caps ) ) {
+				foreach ( $arr_banned_caps as $cap ) {
+					/**
+					 * When there's at least one administrator cap added to the user,
+					 * immediately revoke caps and mark as rejected.
+					 */
+					if ( $user->has_cap( $cap ) ) {
+						$has_admin_cap = true;
+						break;
+					}
 				}
 			}