If you are using WordPress you have, with no doubt, installed a few plugins to enhance your site.
In the initial setup process you probably spent quite a bit of time installed a number of plugins, deciding which ones to keep and which ones to deactivate.
The Problem
When we click deactivate, we forget about that plugin and it tends to sit there in our Plugins folder, being neglected and feeling pretty lonely and unwanted.
You may see there is an update available for this plugin, so it gets excited you might give it another shot, but you’ve moved on and ignore this update because you simply have lost interest in using this plugin or have moved on to a better plugin.
So why is this a problem you might say?
While the plugin is not active on your site anymore, the code of a deactivated plugin still exists in your wp-content/plugins folder and therefore is able to be manually navigated to.
This isn’t an issue for all plugins, but ones that have files configured to take in user supplied arguments like POST and GET request information, may become vulnerable to being executed, even when deactivated.
The Solution…
There are two ways you can handle an old plugin, delete it, or treat it like it’s part of the few, the lucky, the enabled plugins’ club and update it.
Personally, I’d rather just delete the old plugin.
No sense in being a WordPress pack-rat, get rid of it!
If there is a chance you may use the plugin again, just make sure you update it whenever a new version comes out.
This way you are at least up to date with the most recent code base, even if you are not including it in your pages when users visit.
Deactivated plugins will typically not get updated when there is a new version and because of this, hackers can exploit your blog by attacking old plugins that have not been removed.
It is better to be safe than sorry. If you are not going to use a plugin, simply delete and then you only have plugins that you actually use.