Never Hack Core!
If you've ever worked with open-source software such as Linux, Wordpress, Drupal, phpBB, etc., you may have run across the title of this article. Never hack core! But what does that mean? Doesn't the whole premise of open-source involve people tweaking and (hopefully) improving the core code? Yes -- but in a very controlled way that usually involves many eyes on the code verifying that the change is a good one which will benefit the program as a whole.
Hacking core means downloading an application (typically web-based, in this case) and then modifying some part of the downloaded code to fit your specific need. And here's why that's a bad decision...
Updates, Overwrites, and Changelogs - Oh My!
Any actively maintained software undergoes updates. If you run a closed-source operating system (such as Windows or Mac OS X), updates come in the form of patches released by the developer. Those patches get added to the compiled code and all is well. But what about non-compiled, open source applications such as website content management systems? Well, those get updated too for security purposes or to add additional features -- but updates are done by replacing the existing code files with new ones and all the old code is overwritten. To be clear: despite the fact that most updates are small and targeted to certain files, all files get overwritten during an update. What this means is that if you made a change to a core system file, your changes will be overwritten every time you have to update.
If you're the sole maintainer of the website, this may not be that big of a concern. You may even keep a changelog of your hacks so that when updates occur you can just jump back into the files that need changing and re-apply them. But if you're working with anyone else this can become problematic very quickly if one person performs the necessary updates and that person isn't aware of the modifications done to the core files. Functionality could be disrupted for some time before anyone is made aware of the problem. Furthermore, even if you are the sole maintainer, it's possible that the official update to the application may have broken your hack or made it inoperable, which leaves you with a decision: do you abandon your hack (and whatever benefit that hack provided) and go with the up-to-date core code or do you skip the update and potentially leave your website running with insecure code?
What's the Right Solution?
Any modern CMS or other web-based open source application has the ability to extend the functionality and design of the core software via modules or themes. Before launching into a headache-inducing downward spiral of hacking core, first check to see if there is an existing module that does what you need. Odds are you're not the first person to do what it is you're trying to do, so don't reinvent the wheel. However, if it turns out that there is no existing component out there you'll need to write one yourself, which is not as daunting as it sounds. If you're confident enough to hack core you should be able to take the next step and learn how to write a module properly that fits in with the existing framework.