Last updated September 14, 2013. Created by JohnNoc on May 16, 2007.
Edited by myglobaldata_gil, greggmarshall, neerajskydiver, batigolix. Log in to edit this page.

"Never hack core!"

This phrase is commonly heard in the Drupal community. You might have seen it on T-shirts or stickers. You might have seen the video. It is one of the most important best practices for Drupal.

With "core" is meant all the files that belong to the original Drupal installation. That is all files except the ones in the "sites" folder. You can add install profiles to the directory "profiles," but you should not modify any of the already present files in that folder.

Why you shouldn't modify core files

No matter how easy it is to modify core files to make Drupal do what you want it to do, resist the temptation.

  • Doing so will make it complicated, difficult or near impossible to apply site updates such as Security and bug fixes.
  • You will make it difficult for those that come after to maintain the site.
  • You could possibly leave your site vulnerable to exploits.

The Drupal core has been designed to be modular, so there should be no reason to hack it. If there is a feature you want and it cannot be accomplished outside of modifying core, consider submitting your hack as a patch. Create an issue and tell the community the feature you want to accomplish. It will then be tested and your feature may become a part of the Drupal core.

Exceptions

Are there exceptions to this rule?

Nope.

Okay, maybe. But this is generally for specific sites or implementations by people who are extremely familiar with the Drupal code base, development practices and security model. Those who properly document their changes and practice proper revision control with their code. If you have to ask, chances are you shouldn't.

Looking for support? Visit the Drupal.org forums, or join #drupal-support in IRC.

Comments

I admit that I hacked core - once - when I needed to add a proxy configuration to core with a well known and controversial patch:

#735420: Drupal 6 proxy server support

IMO applying patches from d.o is acceptable, especially if you document it.