The WordPress content management system package ships with many PHP, stylesheets, and JS files. These files control every feature of the WP CMS. They have code written by WordPress core developers. The stylesheet is responsible for the layout/color/font of the WP dashboard, and JavaScript powers the WordPress ajax feature.
WP is an open-source CMS that doesn’t stop you from changing the WP core files. There’s a significant risk involved in making any change to the WP core files. If you modify the code of the WP core file and you have no idea what you’re doing, you’re inviting trouble. For example, an important feature of WP may break, or your site may not work. If you’re using a shared hosting plan, you won’t find an option to re-install WP in the control panel.
When to edit the core files? The only reason why a user may want to edit core WordPress files is the user’s site has been hacked, or a malicious plugin or a theme has made some changes to the WP core files. An outdated plugin or theme may have some security issues. The developer, for some reason, doesn’t support the plugin/theme or may not introduce an update that fixes the security issue. The hacker identifies the security issue and writes code that takes advantage of the security issue on sites using this theme/plugin.
What may the malicious code do? The code may create 1000s of thin pages and add the same to the sitemap. It may redirect important pages of your website to pages of other sites, and so on. The code may also delete all WP posts from the site permanently. If you restore the DB and don’t do something about the malicious code, you’ll face the same issue again.
What to do in this situation? You should replace the WP core files manually or use a plugin that will let you do so. Wordfence security plugin does a great job of replacing the WP core files with the latest files available in the WordPress repository. Instead of editing the file manually, you can use Wordfence to restore your WP core files.
How to add a new feature/styling/JS to the site without editing WordPress core files? WordPress themes support custom JS and CSS code. If your theme doesn’t let you place custom JS/CSS code, you can find/install/use a plugin that will let you do so. You can also add custom JS/CSS to your website by creating a file containing your custom JS/CSS code and using the wp_enqueue_style and wp_enque_script methods (hooks). What about PHP functions? You can add the custom PHP function you’ve written to the theme’s function.php file and make WP use your function by using the add_action function.
Closing words: There’s a massive risk in editing the WP core files, and there should be a strong reason for editing them. Thus, edit them only when required.
