What Developers Mean when they say “Don’t Hack Core”

In both the WordPress and Drupal communities you’ll frequently hear the refrain “don’t hack core.” What does that mean though? Often I see this phrase used out of context or without explanation. When I was first learning to code, I certainly didn’t know what it meant, I just knew that one time my mentor pointed to most of the files in WordPress and very seriously told me that touching them or changing them was very very bad.

What is core?

In order to not hack core, we first must be able to identify what core is. In general, “core” refers to the basic set of core files that make up a content management system. When you download WordPress or Drupal, the core files are what you download.

WordPress Core File Structure
WordPress Core File Structure
Drupal Core File Structure
Drupal Core File Structure

What does “hacking” core mean?

In the context of the phrase “don’t hack core” the word “hack” simply means “to change.” This means that you should not make any changes to core.

It’s that simple: do not change the core files. Changing the core files in any way is hacking the core files. Do not hack the core files.

Where am I allowed to make changes?

Of course, in order to customize WordPress or Drupal you will need to add theme and plugin or module files. There are very specific places where these files belong within the core file structure. In WordPress, custom theme files should be located under wp-content/themes and plugin files should be located under wp-content/plugins. In Drupal, your custom theme files should be located under sites/all/themes and module files should be located under sites/all/modules.

There is also a file that you may need to edit in order to make sure that your database is connected to your website (wp-config.php in WordPress and settings.php in Drupal). You’ll notice though that these files are not included when you initially download either CMS’s software. They are created as part of the installation process. In WordPress, wp-config.php is located at the root level and in Drupal, settings.php is located under sites/default.

Some developers will argue that they need to change core because they discovered a problem with it. If you find a bug in core and have a patch for the problem, then submit a bug report to the core development team for the software you are using. In the meantime, don’t hack core.

Why is hacking core bad?

In the most general sense, hacking core is bad because of the security, maintenance, and compatibility problems that making changes to core files can cause with your site. It can cause unforeseen and bizarre problems with the display of a website and can also be a root cause of issues that can bring down a website entirely.

There are also very specific reasons why hacking core is a bad idea. They are:

1. Inability to Easily Update Core

WordPress and Drupal frequently release updates to their core software. These updates include security updates, bug fixes, and new features. It is recommended that you upgrade your software as new versions become available so that your website is protected from any known security vulnerabilities and that it remains compatible with the most current versions of plugins and themes.

When you update either WordPress or Drupal, you are functionally replacing the old core files with new versions of the files. Therefore, when you “hack” core by making a modification to the core files, you are guaranteeing that you’ll need to redo these hacks with every update released for your software. Since the core software is changing with every update it is certainly possible that the hack you originally implemented will not be exactly replicable with a new version of the software.

2. Security Vulnerabilities

When a security vulnerability impacts WordPress or Drupal core, the core developers and community for each project will release an update that patches the vulnerability. If you create your own independent version of open source software, which is what you are doing when you change core even a little bit, you may create vulnerabilities and not even know it. You run the risk of having your site compromised and then having no one who can help you troubleshoot because your underlying software is unique.

3. Maintenance Problems

Most websites are maintained by multiple people over time. This can be due to staff or agency changes or simply due to the primary site maintainer going on vacation. If another person is trying to fix a problem on the website where you hacked core, you can not assume that this new person will look for changes within the core files because it is best practice to NOT change these files. This hypothetical person will instead look first in all of the places where changes should be made, like in child theme and custom plugin or module files.

4. Compatibility Problems with Plugins/Modules and Themes

In both WordPress and Drupal themes are used to modify the appearance and styling of a website and plugins or modules are used to modify how the software works. Some parts of themes and plugins/modules interact with pieces of code found in the core software. If you hack core, it is possible that you could modify something that interacts with a theme or plugin/module you are using and that this could cause unforeseen incompatibility issues. Again, troubleshooting these issues will be extremely difficult because your configuration will be 100% unique.

When it comes to core, there is no benefit in being your own unique snowflake.

5. That’s What Plugins and Modules Are For

Most of the time when people make changes to core, they are doing so because they want to change or add functionality to the software. This goal of modifying and extending the functionality of your content management system is exactly why plugins exist for WordPress and why modules exist for Drupal. Chances are you may be able to find an existing plugin or module that will add the functionality you’re looking for to your site. If you can’t find exactly what you want in an existing plugin or module, then best practices are to code your own custom plugin or module.

What about themes, plugins, and modules?

As with core, best practice is to not make changes to theme or plugin/module files. The underlying reasons for this are basically the same as the reasons why it is bad to hack core: updates will overwrite your changes and you may unknowingly introduce security vulnerabilities.

There are two generally accepted approaches to theme development: using a starter theme to create your own 100% customized theme or using a base theme and creating a child theme that overrides the base theme.

If you are using a plugin or module and you absolutely need to modify the code in order to get the functionality you need for your site, fork the plugin and create your own custom version. This will prevent future updates to the plugin from overriding your changes.


Hacking core is simply changing the core files for WordPress, Drupal, or any other widely used open source content management system out there. The place to make modifications to the way WordPress or Drupal looks is in your theme files. The way to make modifications to the way WordPress or Drupal works is with plugins and modules.

At the end of the day, never ever hack core. Never.


3 Replies to “What Developers Mean when they say “Don’t Hack Core””

  1. Nice post! I was looking for an updated post about why touching WordPress core is a bad idea, and you touched up on Drupal as well. Definitely will share on my social networks. The term “core” is used a lot and we tend to forget that not everyone understands exactly what that’s referring to, and then across different CMS’. Thanks for this. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *