Switching a plugin off in WordPress doesn't remove it from your site. The files stay on your server, vulnerabilities and all, and that's where the problem starts. If you've got a growing list of deactivated plugins sitting in your dashboard, it's worth understanding what risk they actually carry and what to do about it.
Key Takeaways
- Deactivating a plugin disables its features but leaves all its files on your server.
- Attackers can still target those files if the plugin has a known vulnerability, even when it's switched off.
- Deactivated plugins are easy to forget about, which means they often miss security updates.
- The safest move is to delete any plugin you're not actively using.
- If you do keep deactivated plugins, keep them updated and audit your list regularly.
What Actually Happens When You Deactivate a Plugin?
When you deactivate a plugin in WordPress, its functionality is completely disabled. It stops running, stops interacting with your site, and your visitors won't see any trace of it. That much is fine.
What doesn't happen is the removal of its files. Every line of code, every file that plugin brought with it, stays on your server until you physically delete it. That distinction, deactivation versus deletion, is the crux of the whole issue.
There are plenty of legitimate reasons to deactivate rather than delete. You might be troubleshooting a site error and need to isolate which plugin is causing it. You might be testing an alternative and want to switch back easily. Or you might be genuinely unsure whether a plugin is doing anything useful. In a large e-commerce site with thousands of products, for instance, the only reliable way to tell if a particular plugin is still needed is sometimes to turn it off and see what breaks.
So deactivation has its place. The risk comes from leaving plugins in that state long-term without thinking about them again.
Why Deactivated Plugins Can Still Be Exploited
The code is still there
Even with a plugin switched off, its files are accessible on your server. If that plugin has a known vulnerability, an attacker can potentially reach those files directly, especially if they've already found another way in, such as weak admin credentials or a separate hole elsewhere on the site.
They tend to miss updates
Out of sight, out of mind. Deactivated plugins get overlooked during routine maintenance far more often than active ones. If a security patch is released for a plugin you've switched off and forgotten about, the odds are you won't apply it. Attackers actively look for outdated software, and a deactivated plugin is no exception.
Automated scanners don't care whether it's on or off
Cybercriminals use automated tools to scan websites for the presence of specific vulnerable plugins. Those tools aren't checking whether the plugin is active. If the files are there, the plugin shows up as a target.
Plugin clutter leads to human error
A long list of deactivated plugins makes your WordPress dashboard harder to manage. The more cluttered it gets, the easier it is to lose track of what's there, what version it's on, and whether it still needs to be there at all.
When Is the Risk Lower?
It's not always a crisis. Two situations where deactivated plugins carry relatively low risk:
- Short-term deactivation. If you've switched a plugin off to debug something and you'll be switching it back on or deleting it within a day or two, the risk is minimal, provided the plugin is up to date.
- Strong hosting security. A server with solid firewall protections makes it harder for attackers to reach deactivated plugin files. It doesn't eliminate the risk, but it reduces it.
Neither of these is a reason to be complacent. They're just context.
Best Practice: Delete Plugins You're Not Using
The straightforward answer is this: if you're not using a plugin, delete it. Keeping it around because you might use it again one day isn't worth the exposure. Here's why deletion is the better call:
| Benefit | What It Means in Practice |
|---|---|
| Reduced attack surface | No files on the server means no files for attackers to target |
| Better performance | Frees up server space and reduces dashboard clutter |
| Simpler maintenance | Fewer plugins to monitor, update and audit |
How to Remove Deactivated Plugins Safely
Before you start deleting, take these steps:
- Back up your site. Create a full backup of your files and database before making any changes. If something goes wrong, you'll want to be able to restore it.
- Check for stored data. Some plugins store data in your WordPress database. Check whether the plugin gives you the option to delete its data on removal. If it doesn't, you may need to clean up the database manually afterwards, which is a technical task best handled carefully or passed to a developer.
- Delete the plugin. Go to the Plugins section in your WordPress dashboard, find the deactivated plugin, and click Delete.
- Check the server files. After deletion, it's worth verifying that all associated files have actually been removed from your server.
If You're Keeping Deactivated Plugins, Do These Things
Sometimes you genuinely need to keep a plugin deactivated for a while. If that's the case, these steps will help keep the risk down:
- Keep them updated. Yes, even deactivated ones. Security patches apply regardless of whether the plugin is switched on.
- Audit your plugin list regularly. Go through both active and deactivated plugins on a routine basis and delete anything you don't need.
- Only use plugins from trusted sources. Stick to the official WordPress plugin repository and reputable developers. Avoid anything from unverified third-party sites.
- Lock down your site generally. Strong passwords, two-factor authentication, and secure hosting all make it harder for attackers to exploit anything on your server, deactivated plugins included.
- Use a security plugin. Tools like Wordfence, Sucuri, or iThemes Security can scan your site for vulnerabilities and flag if a deactivated plugin is putting you at risk.
Keeping your WordPress site tidy and well-maintained is the single best thing you can do for its security. Our WordPress website maintenance service covers routine plugin audits, updates and security checks so nothing slips through the cracks.
If you'd rather hand this off entirely and focus on running your business, get in touch with the IceBox team and we'll take it from there.
Frequently asked questions
Can a deactivated WordPress plugin actually be hacked?
Yes. Deactivating a plugin disables its features but leaves its files on your server. If that plugin has a known vulnerability, attackers can still target those files directly, particularly through other weaknesses on your site.
Should I delete deactivated plugins or is switching them off enough?
Deleting is the safer option. It removes the files from your server entirely, eliminating any attack surface. Deactivation alone leaves the code in place and it can still be exploited.
Do I need to update plugins that are deactivated?
Yes. Security vulnerabilities in a plugin can be exploited whether it's active or not, because the files are still on your server. If you're keeping a deactivated plugin, keep it updated.
Will deleting a plugin remove all its data from my site?
Not always. Some plugins give you the option to delete their stored data on removal, but others don't. If a plugin leaves data behind in your database, you may need a developer to clean it up manually.
Related services
Need a hand with this? Here's how IceBoxDesigns can help.