What to do with Unused Plugins in WordPress
If you’re using WordPress©, you have no doubt installed a few plugins to enhance your site. During the initial setup process, you probably spent quite a bit of time installing plugins, deciding which ones to keep and which ones to deactivate.
When we deactivate a plugin, we forget about it and it tends to sit in our Plugins folder collecting dust. You may get a notice that there’s an update for the plugin, but since you’ve found a better one, you ignore the notice and decide not to upgrade it, because you aren’t using it anymore.
“Why is this a problem?”, you might ask. Well, while the plugin is not active on your site anymore, the code of a deactivated plugin still exists in your ‘wp-content/plugins/’ folder and therefore can be manually navigated to. This isn’t an issue for all plugins, but ones that have files configured to take in user supplied arguments like POST and GET request information, may become vulnerable to being executed… even when deactivated.
There are two ways you can handle an old plugin: delete it, or treat it like it’s a plugin you are using and update it. Personally, I’d rather just delete the old plugin. No sense in being a WordPress pack-rat. Get rid of it!
If there’s a chance you may use the plugin again, and you choose to keep it, just make sure you update it whenever a new version comes out. This way, you’re at least up-to-date with the most recent code base, even if you are not including it in your pages when users visit.
As a note, always remember to check with the WordPress plugins directory or the Plugin Homepage for any compatibility issues before upgrading. And, as WordPress recommends, backup all content and databases prior to upgrading any part of your WordPress site.
For more information on WordPress Plugin Security, you should also read Are Your Plugins the Weakest Link?.