Keeping inactive plugins in a WordPress installation could leave the site open to bad guys who target a site, through installed plugins that might have vulnerabilities. Especially those that are old, unmaintained and may not have been well-designed/built, in the first place. For these reasons it is standard advice to remove any plugins that are not being used.
The basic reason why any given plugin can be targeted, however, is simply that WordPress by default places all plugins in a directory or folder that has the same name, on all websites.
And the basic defense is to control outside access to the plugin folder, and other default folders. Only a logged-in site Admin should be getting into the site directory structure, but by default anyone can. Permissions should be reset, directories renamed to preclude such rummaging.
Health Check, in the WordPress Admin Dashboard, warns us against keeping inactive plugins. But increasingly, in a variety of ways, this is quite useful. In the old days, plugins were managed by labor-intensive methods, which incidentally resulted in local archives, along with local means of viewing and editing code. Nowadays these methods are mostly gone, and along with them, most of the infrastructure to support local management. It was error-prone, too.
What we have today instead, is a much-better developed WordPress Admin, with additional plugins to further-enhance plugin-management tasks. Plugins must often for example be compared; this means having two or more
It is said that having these inactive plugins on your site is a security issue. But, inactive plugins update just like the active ones. (Thus really, the issue is less about inactive plugins, and more about those that are unmaintained and/or not updated.) They all come from the same wonderful WordPress Repo. Arguably, even, Active plugins can often be detected from their intended effects, in the live website … making them potentially more of an exposure than the less-visible inactive ones!
We should prevent others from viewing the plugin directory, and this is readily done. Depending on how a website server is set up, it is perfectly ordinary to type in www.somesite/wordpress/content/wp-plugins, and get a nice listing of all the plugins you use. There are several other core WordPress directories, none of which should be accessible to the public, and all of which are by default.
Get a Plugin to plug this security hole! For example
While you’re at it, learn a few Linux/Apache (Server) Permissions. These are half-a-handful of litte Commands that can be Set. They guard access to the inner workings of a website (and its Server). Sometimes the guard has to be lowered, in order to do something, and then it doesn’t get put back in place. Sometimes, another piece of software relaxes the setting, and again does not restore the protected-state.