3 Reasons Why Hacking the WordPress Core is a Very Bad Idea

If you do a Google Image search for the phrase “don’t hack wordpress core” the image below comes up #1:



There’s good reason for this: it’s actually true.

So the next time you are considering hacking the core files of WordPress, make sure you give a final thought to the kitten you are murdering in the process.

And just why is the result of hacking the WordPress core so drastic?

For that answer we turn to Copyblogger Media’s own Andrea Rennick, who knows a thing or two about WordPress, and who inspired this post earlier today when she retweeted a most emphatic plea from WordPress developer Ryan Duff:

Since I am more of a writer than a developer (okay, much more), I was curious why staying away from the WordPress core is so important.

Isn’t that why people like WordPress in the first place? Because it can be customized and so flexibly bent to the will of whoever is using it?

So I asked Andrea, and she responded with the blunt clarity I’d hope for:

Every time you hack WordPress core, a kitten dies. True facts!

This was the very first line in her email response to me, after which I did the aforementioned Google Image search.

Okay, I get it, kittens die whenever someone hacks the WordPress core.
But why?

Andrea continued:

Some people hack the WordPress core due to a lack of knowledge and/or time constraints. They don’t know how to get around what they are trying to do, don’t have time to hunt down the right way to do it, and just hack away because the client wants it.

Which is a really sucky reason.

If you don’t have time to do it right, you don’t have time to fix it.

Ah ha. Now the answer was becoming much more clear.

Basically, people like me without the requisite skills shouldn’t hack the WordPress core for the same reason I shouldn’t try to soup up the engine on my car: I don’t know what the hell I’m doing.

And just like I’d have to bring my car to a mechanic to undo whatever catastrophes I’d inflict on the engine, I’d undoubtedly have to turn my WordPress files over to someone like Andrea for emergency rescue help if I decided to go in and hack away at the core.

But that’s just the tip of the don’t-hack-the-WordPress-core iceberg.

It’s not just frou-frou writers and technical noobs like myself who should stay away from the WordPress core, it’s literally everyone. Even Andrea and Ryan, people who know their way around it like they know their own neighborhoods, don’t hack the core.

Here’s three critical reasons why …

1. You create zero-day vulnerabilities

The credit for this reason goes to Synthesis’ Grand Poobah of All Things Technical, Derick Schaefer. I bopped into his office this morning to get his take on this issue, and he was in the middle of his answer before I even finished the question:

When zero-day vulnerabilities come in, you’ve ruptured the understanding of what people know of the WordPress core with your customizations.

In case you are unfamiliar with the term “zero-day attack,” as I was, it is a threat or attack that exploits a previously unknown vulnerability in a computer application. Thus, the attack occurs on “day zero” of the vulnerability, so developers have had zero days to address and patch it.

From our perspective at Synthesis, where we take the security of our customers’ sites nearly as seriously as we take our own personal health (but with many more regularly scheduled check-ups!) zero-day vulnerabilities like the TimThumb fiasco are a pervasive fear.

Hacking the WordPress core not only has the potential to introduce security holes, but any attacks that result are going to be more difficult to deal with because they are brand new.

This alone should be enough to scare you away from the WordPress core files.

2. You’re hacking up what plugins were made to do

If the previous reason is not enough to convince you that hacking the WordPress core is a fool’s activity, maybe this thread on the subject from Stack Exchange will convince you.

It’s not that anyone wants to keep you from bending WordPress to your will and adding your own unique customizations; it’s just that hacking the core is the wrong way to go about it.

There are perfectly acceptable and encouraged methods for customizing WordPress, summed up in these two quotes from the thread:

Relevant Quote #1:

You can always change how WordPress works, by using plugins. This can sometimes be rather tiresome and difficult, but the extra work always outweighs the problems you get by changing the WordPress core itself.

Relevant Quote #2:

The best reason not to hack core is that whatever you are doing should be reworked as a patch for core instead!

And as Jeremy Clarke explains in the thread, if there really is no existing hook available to accomplish what you are needing done, explain on Trac why it should exist and maybe it’ll end up in the next WP update.

3. Your site is no longer future-proof

Speaking of WordPress updates, they are yet another reason to avoid hacking core files.

Relevant Quote #3:

There’s also the fact that once you upgrade wordpress to the latest version all your changes to the core files are overwritten.

So, rather than taking advantage of WordPress’ wonderfully simple one-click upgrades, you have to go back in and re-add your core customizations each time you upgrade WordPress.

Why make your site more vulnerable and your life more difficult?

So is it ever okay to hack the WordPress core?

Is this really that cut-and-dried of an issue? Actually, it pretty much is.

As Andrea explained to me further, there have been a few cases — some even argued in WP Trac — where people had to edit core files because there was no way around what they were trying to do … but those were usually really obscure functionality desires driving the hacks.

For example, Marko Heijnen responded to Andrea on Twitter that he hacked the WordPress core to “GIFs with an alpha state.” He explained that it doesn’t work well with WP and doesn’t matter if it breaks.

Fair enough, but we’ll place that firmly in the “risk you’re willing to take” category, as it still does not address the issue of potential zero-day attacks from unexpected vulnerabilities, nor the necessity of needing to add the hack after every WP update.

What should happen to people who hack the WordPress core?

I asked Andrea what she thought would be a just punishment for people who hack the WordPress core. She took to Twitter to get some responses, and boy did she get some good ones:

  • From @johnbhartley: “force them to listen and watch a reading of the entire Codex, a la “Clockwork Orange”
  • From @johnsgunn: “cattle prod installed into their desk chair?”
  • From @jan_dembowski: “Write ‘I will not hack core again.’ on the board 1,000 times.”
  • From @zedejose: “install and customize Joomla once or Drupal ten times.” (Andrea especially liked this one, deeming it “HARSH!”)

As you can see, hacking the WordPress core is simply not an advisable course of action, and it’s not just me saying this. Many of the preeminent WordPress experts out there agree.

It’s your WordPress install, so ultimately the decision is yours. We just want you to understand the issues that hacking the core introduces to your site.

And that kittens will die.

Don’t kill kittens, you heartless fiend. Stay away from the core!


  1. Good coverage.

    The main reason is that is basically never really necessary. If you examine like half the core code, you’ll find that WordPress itself uses its own action and filter hooks extensively. In a sense, quite a lot of the WordPress core code is a plugin. Plugins get loaded the same as all the other files, and can hook the same hooks that WordPress itself is using internally.

    So if you thing that you need to adjust something in core, then it is very likely what you’re adjusting is hooked in such a way that you can simply unhook it and hook in your modified version, inside of a plugin.

    With very, very few exceptions, plugins can do everything core can do, and there’s almost no part of core that is un-modifiable. Even the example given about messing with GIFs and alpha states could be done with a plugin (see my ImageFX plugin to see the sort of crazy image tricks that are possible with just a plugin).

  2. +1 to this article, however I would like to point out (as a humorous gotcha) that all WordPress Core Devs and Contributors Hack WordPress core, that is where all improvements,future enhancements, and bug fixes come from. Obviously I’m not advocating hacking core, it should be left to the pros, and never done on a live / client site.
    The thing I had to do once, was I noticed a limitation to the WordPress Exporter in core WP, and there were no filters / hooks available to modify via a Plugin, I hacked core, submitted a patch, and once I did my export reverted my changes, in a hope that WP Core would apply the patch or fix things up for a future release… edge case, and I hope you kittens were killed in the process.

    • Jerod Morris :

      Good point! And yes, a very humorous gotcha. I thought about this while writing but figured the underlying message of letting the pros do the hacking need not be said, especially on a live or client site! But doesn’t hurt to say it here so everyone knows.

  3. HARSH! :)

  4. So tell me, on the login form, how can I set a default user name using a variable from the query string? I want to be able to send a user a URL for logging in which automatically fills out the user name, eg. like this: http://www.somewpsite.com/wp-login.php?user=someusername

    PS. I understand that the username will be cache in the browser and all that, but that is fully acceptable for this user/site.

Leave a Reply