Let’s face it – we’re human. We’re curious, and we think know better. And if we’re guys, well, do I really need to mention asking for directions or taking things apart? I for one took apart my mother’s brand new Hoover vacuum cleaner when I was 13 – and couldn’t put it back together again. She was not happy. I recently took apart some example code for parsing XML feeds for a project I was working on and now it works great. But there are some things better left alone and WordPress is one of them. There are 3 reasons why you shouldn’t modify the core WordPress files or the core files of any CMS:
Security: When you modify the core files, you will no longer be able to use the update feature without overwriting the edits you made and this include the security patches that come out. The WordPress Security Team evaluates and develops a plan for handling security issues within 72 hours of discovery. They rely on the auto update feature of WordPress 3.7+ to push out a security patch to those sites that haven’t disabled the auto updater. When you edit the core files, you own responsibility for keeping ALL of the files up to date manually. That would be over 1100 files – more if you modify the plugins.
Efficiency: If you modify the core files of wordpress then you’ve effectively killed your ability to use the auto update feature. This kills efficiency and puts the onus on you to keep your files up to date every time a new security patch or update is released. You’ll need to read through the update documentation to learn what’s been changed and then go find the affected files and make the changes. That’s a lot of unnecessary work – especially when they’ve given you a tool to make it easy – secure and easy.
Flexibility: WordPress is built with reusable functions. These functions are integrated into the core files in many different places and relied upon by plugins and themes. Editing them means you could disable or break your site in some way. It might be something you don’t need or will never see until you need it but unless you know exactly what you’re doing you’re not likely to realize your mistake until much later..
There are over 72 million installs of WordPress. The dev team is doing a great job to have reached this level of saturation. For those that whine about how they like their highly customized websites and bemoan the WordPress 3.7 auto update feature. Fine. Don’t blame it on WordPress when your website is hacked.
I will never modify core files for these reasons. I don’t have time to waste. I’d rather follow good coding practices and make my edits using child themes or build my own plugins. Much safer and less work.