Is any code executed in disabled plugins?
I was wondering how much of a problem disabled plugins can be, in terms of security. I found another related question here, but the answers don’t provide any details.
What I’d like to know is if any code of the plugin is ever executed by WordPress, when the plugin is in a disabled state. Of course it’s always possible to access the plugin files directly, and some code might end up being executed if there isn’t a line like
if (! defined('FOOBAR')) exit;. What I’m asking though, is if WordPress ever calls any code inside a disabled plugin. All code related to actions and filters should not run at all, I guess, otherwise the plugin would work (but it’s disabled). But I’m not sure if any other code is executed anyway, by default.