WP Engine Products

WordPress Hosting

Boost performance while managing less

WooCommerce Hosting

Build faster and sell more with WooCommerce

Headless WordPress

Build, deploy, and manage headless sites

View More Products

Solutions

Small Businesses

Enterprises

Agencies

eCommerce

View More Solutions

Website Tools

Smart Plugin Manager

Website Tester

Website Monitoring

WordPress Themes and Tools

Local WordPress Development

Featured Plugins

Advanced Custom Fields

Build rich, custom content editing experiences

WP Migrate

Migrate WordPress sites with confidence

WP Offload Media

Offload media assets & serve them lightning fast

WP Offload SES

Improve email send reliability with Amazon SES

View More Recommended Plugins

WordPress Resources

WP Engine Resources

Articles and videos for help with WordPress

WP Engine Help Docs

Guides for site setup & troubleshooting

Free Website Migration

Automated migration plugin & support

Find a WordPress Agency

Need help? Search our agency directory

Stay Connected

WP Engine Blog

Builder Community

Headless Developer Community

Torque Magazine

Velocitize Magazine

Thought Leadership

Velocitize Talks

Erik Posthuma of Aleph-labs on Web3, Cryptocurrency, & More

Podcast

Press This, the WordPress Community Podcast

Study

The World’s First Study of the WordPress Economy

Why WP Engine?

Our Platform Technology

Managed WordPress Hosting

Fast WordPress

Secure WordPress

24/7 WordPress Support

About Us

WP Engine Reviews

How You Win with WP Engine

Build faster, protect your brand, and grow your business with the #1 WordPress platform to power remarkable online experiences.

Learn More

Customer Spotlight

Peak Performance With Headless WordPress

Android Authority increases speed 6x by adopting a headless architecture with a WordPress back-end.

All Case Studies

Contact sales

Call Us

+1-512-273-3906 to talk to a sales expert

Request a Quote

Submit a request for a personalized plan recommendation

Let’s Chat

Customer Support

Support Articles

Billing Help

Password Help

Log In for Support
Easiest Migration Ever!

Need Help Choosing a Plan?

We offer solutions for businesses of all sizes. For questions about our plans and products, contact our team of experts. Get in touch

Resource Center
‹ Back to Resource Center
an illustration of a green apple core on a blue background

Why you Shouldn’t Ever Edit the WordPress Core

Posted in WordPress by WP Engine

Last updated on September 13th, 2023

You know you can customize and shape WordPress to fit any look or need imaginable, and people have built millions of incredibly unique websites around it. Plugins and themes allow WordPress developers to extend the core functionality and turn it into something powerful and individual.

No matter how a WordPress installation is configured or customized, however, they all have one thing in common: They’re all built on top of the WordPress core.

The core is the cornerstone behind WordPress. It’s a piece of work eleven years and several major release versions in the making. Every WordPress site is powered by the same core code, no matter how differently they operate or look. Let’s peek behind the curtain of the WordPress core and take a look at its biggest cardinal rule—why you should never ever edit the core. Then, on a less strict note, we’ll get into how it’s updated and released, as well as how to get involved in making it better.

Don’t Edit the Core!

The WordPress core has one big, huge, major, important rule: Never edit core files. Ever. Even core developers don’t mess around with the core on production servers. Here’s why.

When the WordPress core gets updated, it overwrites the core installation with any new updates included in the release. If the core has been chopped up and modified beforehand, it’ll wipe out those changes. That means big sections of the installation will just stop working.

Worse, modifying the core can have all kinds of unintended consequences, like preventing updates from working correctly, further screwing up an installation. But wait! There’s more! Even worse than that is the potential to introduce unintended security vulnerabilities. Messing with core files could easily introduce a hole in WordPress’ security, allowing hackers to take over a site.

never-edit-wordpress-core-1

Understand the Core’s File Structure

Now that we’ve hammered home why you shouldn’t edit core files, let’s take a quick nerd moment to look through their structure. Here’s what a base directory looks like:

license.txt
 readme.html
 wp-activate.php
 wp-admin/
 wp-blog-header.php
 wp-comments-post.php
 wp-config-sample.php
 wp-content/
 wp-cron.php
 wp-includes/
 wp-links-opml.php
 wp-load.php
 wp-login.php
 wp-mail.php
 wp-settings.php
 wp-signup.php
 wp-trackback.php
 xmlrpc.php

That’s the WordPress Core in its entirety. The folders wp-admin, wp-content, and wp-includes have the bulk of the code that powers WordPress, namely the back-end code that powers the WordPress dashboard, for example.

Familiarize Yourself With the Core’s Release Cycle

So if we aren’t supposed to edit the core, who is? Let’s talk about the people who implement features and push out updates. Lead developers, core developers, and guest committers, many of whom work for WordPress’ parent company Automattic, all work together to maintain the WordPress core. Some core developers and guest committers, however, contribute either on their own accord or because they’re associated with another WordPress related company. Because WordPress is fully open source, anyone is free to contribute documentation and code to the codebase. However, commit access on the core is limited, and any new contributions go through a code review process.

WordPress developers utilize a formalized release cycle for major releases, and according to the core handbook, release cycles are broken down into five phases:

1. Planning and securing team leads
Discussions and planning take place regarding the features and fixes that need to be made, and developers are assigned different tasks and/or take the lead on specific feature implementations.

2. Development work begins
Actual feature implementation and bugfixes begin. At this point, implementing actual code and performing automated tests is done by developers and team/project leads coordinate the arrangement.

3. Beta testing
After development work has made significant progress, the codebase is released to beta testers and anyone who is interested in living on the bleeding edge. Users discover and report bugs and other inconsistencies with the new code, and developers make fixes accordingly. At this point, no new features are added.

4. Release candidate
Once everything is locked in, final tests are run on the codebase to ensure its stability, security, and implementation.

5. Launch
The release is launched to the public and available on every WordPress admin console for downloading.

This phase is repeated for each release cycle, with major point releases being published two or three times a year. There are also usually several security releases, which come in the form of sub points, like 4.0.1. 4.0.1 is a fix for some security vulnerabilities discovered in version 4.0 that needed to be repaired. Security releases do not include any new features—they just focus on hardening the security of WordPress.

Update to Decrease Your Site’s Vulnerability

It’s always a good idea to update to the latest available version of WordPress. Also, make sure to use themes and plugins that aren’t version dependent or specific. WordPress is an incredibly popular platform, which makes it a prime target for hackers. Hackers give WordPress a lot of extra scrutiny because of how widely it’s used.

WordPress plugin developers and core developers work hard to keep the platform as secure as possible and to immediately release patches for any discovered vulnerabilities. That’s why keeping WordPress updated is so important—you’ll stay ahead of the hackers while getting to use all of the great new features introduced by developers. You can update the core via the WordPress admin panel manually, although hosts like WP Engine will update it for you automatically, keeping your sites patched and secure.

never-edit-wordpress-core-2

Get Involved

Getting involved with an open-source project can be an immensely rewarding experience, and your contributions have an opportunity to impact hundreds or even thousands of people. For WordPress specifically, there’s a great deal of work to do for developers and nondevelopers alike. It’s always great to write code and contribute to the functionality of your favorite open-source projects, but WordPress also requires a great deal of technical documentation and copy editing as well.

WordPress.org maintains the Codex, which is a large repository of information surrounding WordPress, including information such as technical documentations, How Tos, and introductions to WordPress. The Codex has a section dedicated to contributors and discusses in detail how you can get involved in valuable, important work that doesn’t involve writing and committing code.

If you’re a developer and getting involved in core code is more of your thing, an awesome way to start contributing is by submitting bug fixes. The WordPress core team has put together a great guide on finding bugs to fix and how to go about fixing them.

Related articles.

Get started.

Build faster, protect your brand, and grow your business with a WordPress platform built to power remarkable online experiences.

Get started

Explore WordPress Hosting