I’ve read many WordPress Security blog articles where the Security Experts are recommending some special steps to take care when somebody is concerned about their WordPress site’s security. One of them is:
WordPress Security Tips:
Remove unnecessary plugins, that are not in use.
A plugin that has security holes, whether by code, structure or db connections, can be fatal for a site even if it’s activated on a site. On the other hand, a well structured, well coded, and securely db-connected plugin may not have a security hole even when it’s deactivated. So where’s the issue exactly?
I have a site where there are some plugins I use occasionally. I actually don’t want to delete them but when they are not needed I just deactivate them from the site. Do I need to delete them to secure my site and if so, why?
A plugin that has security holes is a problem, whether or not it is activated. So here are some reasons why it is often recommended to remove plugins that you aren’t using.
If you have plugins that you aren’t using, you often don’t care about keeping them updated. As a result, they won’t get any security updates, and that will be a vulnerability on your site. People often think that a plugin that is not running can’t negatively affect your site, but in the case of security, an attacker can exploit a security hole in a plugin that is installed, even if it is not activated.
Think about why the plugin is not running in the first place. If it is a plugin that you use regularly, and you just turn on and off as needed, that is fine. However, it could be a plugin that didn’t work right, or is no longer being maintained. This second category of plugins are especially a problem for security, as they are often the source of security holes.
If your deactivated plugins are actively maintained and are kept updated, they aren’t a problem. But if you have plugins installed that aren’t being used and aren’t being updated, it is best to remove them.