If I were starting a small WordPress agency tomorrow, the stack would be opinionated, boring in the good way, and weighted heavily toward tools that have a five-year-plus track record. The exciting tools change every two years; the boring ones still run client sites I built in 2017. This is the stack, role by role, with the actual reasoning behind each pick.
Jump to:
- The principle: pick boring over exciting
- Page builder layer
- Custom fields and content modeling
- Hosting
- Forms
- Caching and performance
- SEO
- Backups
- Image optimization
- Security
- AI tooling
- The full stack at a glance
The principle: pick boring over exciting
Every tool in this stack got picked for the same reason: it has been around long enough that I trust it will still be maintained in five years, and short enough churn in API surface that a site built today will still work without major rework when I come back to it in 2031. Agency profitability lives or dies on the maintenance burden of tools chosen years ago. The price difference between the cheap plugin and the boring one disappears the first time the cheap one breaks under load on a client's launch day.
That means: I will not be recommending the latest VC-funded page builder, the newest hosting startup, or the buzziest AI SaaS. They might be great. They might also not be here in 2027. The stack below trades flashiness for survivability.
Page builder layer
Pick: ACF Flexible Content for marketing-site page assembly, plus Gutenberg core blocks for long-form body content.
I do not run Divi or Elementor by default on new builds (I am a custom-dev-first engineer), but I respect both deeply for the agencies that have standardized on them. If your team is already shipping fast on Divi or Elementor, do not change. The stack below assumes a team that prefers ACF + custom templates, but the rest of the picks compose with builder-first teams too.
The full case for ACF Flexible Content over Gutenberg-as-builder is in Why Many Agencies Still Prefer ACF Over Gutenberg. The short version: ACF Flexible Content templates are PHP partials and they do not break across WordPress versions.
Custom fields and content modeling
Pick: Advanced Custom Fields Pro.
ACF Pro is the single highest-impact plugin on every WordPress site I have built in the last ten years. The Flexible Content field, the Repeater field, the Options Pages, the Relationship field, the Image and Gallery fields: these are the building blocks of every non-trivial content model. I have used ACF since the early 5.x releases; the API has been stable enough that field group registrations I wrote in 2017 still work.
Cost: ~$249/year for unlimited sites with the Pro license. Cheap compared to the time it would take to recreate this functionality on every project.
Hosting
The honest answer here is "it depends on traffic and operational maturity." A decision matrix beats a single pick.
| Site profile | Pick |
|---|---|
| Brochure site, low traffic, agency-managed | Managed WP host (Kinsta, Rocket.net, Pressable). The dev experience is the win. |
| WooCommerce, mid traffic | Cloudways on Vultr High Frequency, or WP Engine if budget allows |
| High-traffic publisher | Pantheon, WP Engine, or Kinsta scale plan |
| Directory site with lots of write traffic | Self-managed VPS (Hetzner, DigitalOcean) with a senior sysadmin |
| Beginner freelancer's first site, tight budget | SiteGround, or a Cloudways Vultr small plan |
| Big-brand site needing the name in pitches | WP Engine |
Avoid: shared hosts that overcommit. You will spend more support time on them than the savings justify.
The recurring rule: hosting decisions are operational decisions, not pricing decisions. Every hour spent fixing preventable server problems is an hour not spent delivering client work. Managed hosting is almost always the right choice for an agency under 50 client sites, because it removes the need for in-house server expertise. Above 50 sites, the math shifts toward a self-managed setup with a dedicated sysadmin.
Forms
Pick: Gravity Forms, with Contact Form 7 as a free-tier fallback for the smallest budgets.
Gravity Forms is the boring choice that has been worth it on every project. The add-on ecosystem (Stripe, Mailchimp, Salesforce, ActiveCampaign, custom webhooks) is the real win. The form builder UI is fine; the back-end integrations are why you pay for it.
Contact Form 7 is fine for "we just need a contact form, do not over-engineer this." It is free and it works.
Avoid: Elementor Forms (lock-in to Elementor), most "modern" form builders that turn out to be SaaS with monthly fees.
Caching and performance
Pick: WP Rocket, plus Cloudflare in front.
WP Rocket is the boring premium choice. It does page caching, browser caching, lazy loading, critical CSS, JS deferral, font preloading, and database cleanup, all with reasonable defaults. The configuration UI is opinionated in a good way: you can turn it on, leave the defaults, and have a measurably faster site immediately.
Cloudflare in front of WP Rocket gives you the CDN, the DDoS protection, the SSL automation, the WAF (on paid plans), and the cdn-cgi/image transform proxy if you want responsive images without storage cost.
Avoid: stacking too many caching plugins. WP Rocket plus Cloudflare is one cache and one CDN. Adding W3 Total Cache or LiteSpeed Cache on top creates conflicts.
SEO
Pick: Rank Math (free or Pro).
I have used Yoast for years. The reason I now reach for Rank Math first is that it does more out of the box (advanced schema, redirections, 404 monitor, sitemap, breadcrumbs) without the upsell pressure pattern that Yoast's UI has trended toward. Rank Math Pro adds the multi-language and Google Trends integration if you need those.
Yoast is still fine. If a client team is already trained on it, do not change.
Avoid: the constellation of "SEO booster" plugins that promise rankings via metadata tricks. None of them are worth installing.
Backups
Pick: UpdraftPlus for off-site backups to S3-compatible storage, plus whatever the host provides as a second layer.
The "two backup layers" rule matters more than the specific tool. Host backups die when the host has an outage; off-site backups die when your S3 credentials rotate without you noticing. Having both means at least one survives the bad day.
UpdraftPlus is boring, configurable, and works. Set it to back up daily to Backblaze B2 or DigitalOcean Spaces. Test the restore on a staging site quarterly. The test is not optional.
Avoid: backup plugins that ship their own cloud storage at a premium. You pay multiples for less control.
Image optimization
Pick: ShortPixel or Imagify for one-time on-upload optimization, plus Cloudflare Polish or cdn-cgi/image for delivery-time optimization.
The cleanest setup is to author images in JPEG and let Cloudflare's image transform serve WebP and AVIF at request time based on browser support. That is what I do on the TechEarl site itself. For client sites that do not want a Cloudflare dependency, ShortPixel or Imagify on upload achieves most of the same win.
Avoid: client-side JavaScript image optimizers. They add page weight, not subtract it.
Security
Pick: Wordfence (free or Pro) plus Cloudflare WAF (if on a Cloudflare paid plan).
Wordfence handles the WordPress-aware things: malicious-login detection, file integrity scanning, two-factor for admin users, and the application-level firewall rules. Cloudflare's WAF handles the network-layer attack patterns before they reach WordPress at all.
The non-plugin half of security matters more: keep core, themes, and plugins updated; enforce strong admin passwords; force HTTPS; disable file editing in wp-config.php (define('DISALLOW_FILE_EDIT', true);); audit your active plugins twice a year and remove anything unused.
Avoid: any "security plugin" that wants to take over wp-admin's login URL as its main feature. Hiding the login is security theater.
AI tooling
Pick: Claude Code (Claude CLI) for development work, plus Anthropic's Claude or ChatGPT for non-coding tasks (briefs, content drafts, SOP creation).
The full case is in Using Claude CLI to Manage WordPress Sites and the role-by-role breakdown is in How Small WordPress Agencies Can Use AI in 2026, by Role. Skip the wrapper SaaS that resells the same API for a markup; go to the source.
The full stack at a glance
| Layer | Pick | Annual cost (approx) |
|---|---|---|
| Content model | ACF Pro | $249 (unlimited sites) |
| Page assembly | ACF Flexible Content (included) | (included) |
| Forms | Gravity Forms Elite | $259 |
| Caching | WP Rocket Plus | $99 (3 sites; more tiers above) |
| CDN / WAF | Cloudflare | Free–$20/mo |
| SEO | Rank Math Pro | $69 |
| Backups | UpdraftPlus Premium | $70 (or free + Backblaze) |
| Image optimization | ShortPixel | $10/mo for 7,000 images |
| Security | Wordfence Premium (optional) | $99 |
| Hosting | Kinsta / WP Engine / Cloudways | Varies by site |
| AI | Claude Code subscription | $20/mo per seat (Pro) |
Total for the agency itself (not per client): roughly $1,000–$1,500/year in licenses, plus the hosting bill (passed through to clients in most cases).
This stack ships fast on a new project, keeps maintenance low across the portfolio, and avoids the trap of "we will switch tools every two years." If a tool on this list goes away or stops being maintained, the swap-in alternatives are usually well-known. That is the survivability argument for boring choices.
Sources
Authoritative references this article was fact-checked against.
- Advanced Custom Fields (official site)advancedcustomfields.com
- WP-CLI (official site on wordpress.org)wordpress.org
- WP Rocket (official site)wp-rocket.me
- Gravity Forms (official site)gravityforms.com
