A plugin that has security holes is a problem, whether or not it is activated. So here are some reasons why it is often recommended to remove plugins that you aren’t using.
-
If you have plugins that you aren’t using, you often don’t care about keeping them updated. As a result, they won’t get any security updates, and that will be a vulnerability on your site. People often think that a plugin that is not running can’t negatively affect your site, but in the case of security, an attacker can exploit a security hole in a plugin that is installed, even if it is not activated.
-
Think about why the plugin is not running in the first place. If it is a plugin that you use regularly, and you just turn on and off as needed, that is fine. However, it could be a plugin that didn’t work right, or is no longer being maintained. This second category of plugins are especially a problem for security, as they are often the source of security holes.
If your deactivated plugins are actively maintained and are kept updated, they aren’t a problem. But if you have plugins installed that aren’t being used and aren’t being updated, it is best to remove them.