Consider this post a public service announcement.
It’s a common misconception that if a plugin is deactivated in WordPress, that you are immune from performance or security issues.
On it’s face, this is not true, and you are risking the internet with this mentality!
Take last year’s Timthumb debacle, for instance. Many themes include Timthumb for dynamic resizing of images. Sometimes plugins do. When those themes or plugins are not activated, you are correct in assuming WordPress is not loading them. What you are failing to see is that their existence on the filesystem provides a vector of attack for someone wanting to exploit a system-level exploit.
Not to say Timthumb is insecure. Old versions are. I still don’t like it for other reasons, like performance. Simply using it as an example.
But if you decide to not use a plugin or a theme, delete the damn thing so it’s presence doesn’t even exist. In the case of Timthumb, the security flaw wasn’t a WordPress exploit. It was a “PHP directly interacting with the system” exploit and it would be there anywhere else regardless of CMS. It could exist on a static site.
And it’s not just your site at risk. Fuck your site. What if that flaw in whatever flawed code existed woke up a botnet? Then everyone is at risk. I’m at risk. You and your silly site are at risk. Joe the plumber’s site is at risk. Thoretically.
So be responsible. Delete unused code from your site. Remove themes you don’t use. Delete plugins you don’t use.
And when I say delete, I mean, permanently delete. Don’t just deactivate.
The Internet thanks you.
Update: This is not a verdict on any plugin or theme. To my knowledge, most are perfectly fine. Just clarifying that this is a “just in case” precaution.