Inactive plugins and the quiet risk of what you are not using
Deactivated is not gone. The plugins sitting switched off in your install are still code on your server.
Deactivating a plugin feels like putting it away. You click the link, the plugin goes quiet, the feature disappears from your site, and the row sits there grayed out, waiting. It feels finished. It is not. Deactivated is not gone, and the gap between those two words is where a surprising amount of WordPress risk quietly lives.
The instinct makes sense. A deactivated plugin does nothing on the front end, so it is easy to treat it as harmless, a thing that is already mostly out of the way. But the code did not leave. It is still sitting in your wp-content/plugins folder, still on the server, and under the right conditions it is still reachable. The plugin you stopped using months ago is doing more than nothing. It is waiting.
Deactivated is not removed
When you deactivate a plugin, WordPress stops loading it on a normal page request. That is the whole of what deactivation does. The files stay exactly where they were. Every PHP file the plugin shipped is still on disk, at a URL an attacker can guess or scan for, and that is the part that matters.
Plenty of plugin vulnerabilities live in files that can be hit directly, without the plugin being active at all. A request to a specific file inside the plugin folder runs that code, active or not, because the file is there to be requested. So the comforting mental model, off means safe, does not hold. The accurate model is simpler and less comfortable: if the code is on the server, the code is part of your attack surface.
It still needs to be kept updated
Here is the second half of the problem, and the one that catches conscientious site owners off guard. People who update diligently tend to update the plugins they use. The deactivated ones fall off the list, because why update something you turned off? Months pass. The plugin sits there at the version it was when you stopped caring about it.
Meanwhile, the security world keeps moving. A vulnerability gets disclosed for that plugin, a patch ships, and the disclosure becomes a public targeting list that automated scanners read within hours. Your active plugins got the patch. The deactivated one, frozen at an old version, did not. You now have a known, unpatched, publicly documented hole in a piece of code you forgot you still had.
An unused plugin gives you none of the benefit of running it and all of the obligation of maintaining it.
The "I might need it later" trap
Almost every site accumulates these the same way. You tried a plugin and it was not quite right. You swapped one tool for another and never circled back. You deactivated something to test a conflict and forgot to clean up. In each case the plugin stays installed for the same reason: I might need it later.
It is a reasonable-sounding thought that almost never survives contact with reality. The plugin you might need later is, in practice, the plugin you never reactivate. And in the unlikely event you do want it back, reinstalling a plugin from scratch takes about a minute, and you get the current, patched version instead of the stale copy you have been carrying. The "later" you are saving for costs you almost nothing to recreate, and the keeping costs you a maintenance obligation you are not actually meeting.
The trap is that doing nothing feels free. It is not. Every installed plugin, used or not, is code you are responsible for keeping current, and a deactivated one is the code you are least likely to keep current at all.
The rule is short: delete what you will not reactivate
There is no clever technique here, which is what makes it easy to skip and easy to do. Walk your plugins list. For each deactivated one, ask a single honest question: am I realistically going to turn this back on? If the answer is no, or "probably not," delete it. Not deactivate. Delete.
Deleting a plugin is a normal, built-in WordPress action, a button right there on the plugins screen, and it removes the files from the server completely. That is the whole point. Once the code is gone, it cannot be exploited, it cannot fall out of date, and it never shows up on a vulnerability list again, because it is no longer there to show up. Fewer installed plugins means less code to keep updated and a smaller surface for anything to go wrong on. The cleanest dependency is the one you removed.
Keep the ones you use. Update the ones you keep. Delete the rest. That is the entire policy, and it quietly retires a category of risk most owners never knew they were carrying.
What RecapWP flags
The hard part of this rule is not following it. It is remembering that the forgotten plugins are there at all, because forgotten is exactly what they are. They do not nag you. They generate no errors, no notices, no front-end symptoms. They are invisible until something goes wrong, which is the worst possible time to discover them.
That is the gap RecapWP closes. As part of its Platform checks, a scan surfaces inactive plugins installed as a finding, so the plugins you stopped using stop being invisible. It is a Low-severity, detect-only item, which is the honest classification: this is not a configuration RecapWP should change for you, because deleting a plugin is a decision only you can make, and only you know which of those grayed-out rows you might genuinely want back. So it does the part a tool can do well, which is notice and tell you, and it leaves the deleting to you, where it belongs.
RecapWP is a site auditor, not a firewall and not real-time protection. What it offers here is plainer than that and more useful day to day: a list of the things on your site that you would otherwise have to remember to look for, including the unused code you stopped thinking about a long time ago.
The fastest way to find out what you are still carrying is to run a scan and read the Platform findings. You may be surprised how many plugins are sitting in your install that you have not thought about in a year, and how good it feels to delete them.
Stop reading about it. Run the scan.
RecapWP Pro runs dozens of deterministic checks across every area and fixes them for you, with undo, plus the full-site crawl, redirect manager, frontend auditor and the Ask RecapWP assistant.