an illustration of a green apple core on a blue background

Why you Shouldn’t Ever Edit the WordPress Core

You know you can customize and shape WordPress to fit any look or need imaginable, and people have built millions of incredibly unique websites around it. Plugins and themes allow WordPress developers to extend the core functionality and turn it into something powerful and individual.

No matter how a WordPress installation is configured or customized, however, they all have one thing in common: They’re all built on top of the WordPress core.

The core is the cornerstone behind WordPress. It’s a piece of work eleven years and several major release versions in the making. Every WordPress site is powered by the same core code, no matter how differently they operate or look. Let’s peek behind the curtain of the WordPress core and take a look at its biggest cardinal rule—why you should never ever edit the core. Then, on a less strict note, we’ll get into how it’s updated and released, as well as how to get involved in making it better.

Don’t Edit the Core!

The WordPress core has one big, huge, major, important rule: Never edit core files. Ever. Even core developers don’t mess around with the core on production servers. Here’s why.

When the WordPress core gets updated, it overwrites the core installation with any new updates included in the release. If the core has been chopped up and modified beforehand, it’ll wipe out those changes. That means big sections of the installation will just stop working.

Worse, modifying the core can have all kinds of unintended consequences, like preventing updates from working correctly, further screwing up an installation. But wait! There’s more! Even worse than that is the potential to introduce unintended security vulnerabilities. Messing with core files could easily introduce a hole in WordPress’ security, allowing hackers to take over a site.


Understand the Core’s File Structure

Now that we’ve hammered home why you shouldn’t edit core files, let’s take a quick nerd moment to look through their structure. Here’s what a base directory looks like:


That’s the WordPress Core in its entirety. The folders wp-admin, wp-content, and wp-includes have the bulk of the code that powers WordPress, namely the back-end code that powers the WordPress dashboard, for example.

Familiarize Yourself With the Core’s Release Cycle

So if we aren’t supposed to edit the core, who is? Let’s talk about the people who implement features and push out updates. Lead developers, core developers, and guest committers, many of whom work for WordPress’ parent company Automattic, all work together to maintain the WordPress core. Some core developers and guest committers, however, contribute either on their own accord or because they’re associated with another WordPress related company. Because WordPress is fully open source, anyone is free to contribute documentation and code to the codebase. However, commit access on the core is limited, and any new contributions go through a code review process.

WordPress developers utilize a formalized release cycle for major releases, and according to the core handbook, release cycles are broken down into five phases:

1. Planning and securing team leads
Discussions and planning take place regarding the features and fixes that need to be made, and developers are assigned different tasks and/or take the lead on specific feature implementations.

2. Development work begins
Actual feature implementation and bugfixes begin. At this point, implementing actual code and performing automated tests is done by developers and team/project leads coordinate the arrangement.

3. Beta testing
After development work has made significant progress, the codebase is released to beta testers and anyone who is interested in living on the bleeding edge. Users discover and report bugs and other inconsistencies with the new code, and developers make fixes accordingly. At this point, no new features are added.

4. Release candidate
Once everything is locked in, final tests are run on the codebase to ensure its stability, security, and implementation.

5. Launch
The release is launched to the public and available on every WordPress admin console for downloading.

This phase is repeated for each release cycle, with major point releases being published two or three times a year. There are also usually several security releases, which come in the form of sub points, like 4.0.1. 4.0.1 is a fix for some security vulnerabilities discovered in version 4.0 that needed to be repaired. Security releases do not include any new features—they just focus on hardening the security of WordPress.

Update to Decrease Your Site’s Vulnerability

It’s always a good idea to update to the latest available version of WordPress. Also, make sure to use themes and plugins that aren’t version dependent or specific. WordPress is an incredibly popular platform, which makes it a prime target for hackers. Hackers give WordPress a lot of extra scrutiny because of how widely it’s used.

WordPress plugin developers and core developers work hard to keep the platform as secure as possible and to immediately release patches for any discovered vulnerabilities. That’s why keeping WordPress updated is so important—you’ll stay ahead of the hackers while getting to use all of the great new features introduced by developers. You can update the core via the WordPress admin panel manually, although hosts like WP Engine will update it for you automatically, keeping your sites patched and secure.


Get Involved

Getting involved with an open-source project can be an immensely rewarding experience, and your contributions have an opportunity to impact hundreds or even thousands of people. For WordPress specifically, there’s a great deal of work to do for developers and nondevelopers alike. It’s always great to write code and contribute to the functionality of your favorite open-source projects, but WordPress also requires a great deal of technical documentation and copy editing as well. maintains the Codex, which is a large repository of information surrounding WordPress, including information such as technical documentations, How Tos, and introductions to WordPress. The Codex has a section dedicated to contributors and discusses in detail how you can get involved in valuable, important work that doesn’t involve writing and committing code.

If you’re a developer and getting involved in core code is more of your thing, an awesome way to start contributing is by submitting bug fixes. The WordPress core team has put together a great guide on finding bugs to fix and how to go about fixing them.

Get started.

Build faster, protect your brand, and grow your business with a WordPress platform built to power remarkable online experiences.