Most conversations about the WordPress ecosystem focus on the platform: the block editor, the ongoing builder wars, the plugin marketplace. The agencies running client WordPress sites at scale rarely get that attention. They should.
CloudLinux and WebPros surveyed 210 WordPress agencies and freelancers to find out how they operate: where they run client sites, how they handle security and performance, and what they expect AI to do for them next. Selected insights and the link to the full report are in this post.
Most agencies are small, but the portfolios are not
78% of the agencies surveyed are solo operators or small teams of up to 10 people. That matches the general shape of the WordPress services market. What is less intuitive is what those small teams are managing.
18% of agencies manage more than 100 client WordPress sites. 47% of solo and small agency operators manage more than 20. Headcount and portfolio size are only loosely linked: a solo freelancer carrying responsibility for a hundred-plus sites is not an outlier in this data.
The services these agencies provide extend well beyond building sites. Hosting, ongoing maintenance, security monitoring, and performance optimization are each offered by 44-55% of agencies, and the average agency offers around four services. Each one is a continuing commitment that compounds with every site added to the portfolio.
Agencies own the infrastructure stack
When clients engage a WordPress agency, the hosting question usually lands with the agency. 83% of agencies either choose hosting outright or recommend it and stay involved in the final decision. Only 7% say the client picks hosting independently.
The CMS or framework choice follows the same pattern: 74% of agencies choose or recommend the technology based on project requirements.
About 42% of agencies run exclusively on self-managed VPS or dedicated servers. 38% are exclusively on managed hosting. Scale consistently pushes agencies toward self-managed infrastructure: 90% of agencies managing more than 100 sites operate at least some on self-managed VPS or dedicated servers. The per-site cost of managed hosting adds up across a large portfolio. Self-managed servers are easier to standardize, and larger clients often need configurations that managed hosts will not accommodate.
Security splits along the same line as hosting
Security approach follows from infrastructure choice almost deterministically. Self-managed agencies lean on server-level security tools they operate themselves. Managed-hosting agencies lean on WordPress security plugins.
Across the whole survey, the dominant security challenge is not breach response or compliance. It is keeping plugins and themes updated across all client sites — named as a top challenge by 65% of agencies, rising to 75% among agencies managing more than 100 sites. Brute-force attacks, malware cleanup, and clients not following security best practices cluster in the 27–33% range: real concerns, but clearly secondary.
Among agencies managing 100+ sites, 45% still update WordPress manually, one site at a time — precisely the group where that approach creates the most exposure.
Performance is a heavier lift than security
37% of agencies describe performance work as significant, heavy, or overwhelming — higher than the 28% who say the same about security.
The difference is structural. Security can be systematized: install the right server-level tools, configure a WAF, enforce update policies. Performance fixes tend to be site-specific — caching tuning, image compression, plugin replacement. Fixes that work on one client's site require re-evaluation on the next.
The top performance challenge is plugin and theme bloat (59%). Third-party scripts that clients add after launch come second (30%), and that number rises sharply with portfolio size: from 16% at agencies managing 20 or fewer sites to 50% at agencies managing 100+.
AI adoption is wide but not deep where it matters most
Nine in ten agencies are already using AI tools somewhere in their workflow. AI use concentrates in content writing (59%), code generation and debugging (53%), and SEO research (39%). Site monitoring and maintenance automation — the area most directly tied to the operational overhead described above — is where only 16% of agencies currently apply AI.
The capabilities agencies most want from AI map directly onto where they are already feeling the most pain: automated WordPress updates with intelligent pre-update testing (38%) and automated security across client sites (35%). Agencies have figured out that AI can write content and generate code. The harder problem — using AI to reduce the update and security load that grows with every site added — is where demand is highest and current coverage is lowest.
Agentic AI is already inside agency dev workflows
Basic AI autocomplete (GitHub Copilot, ChatGPT) appears in 63% of agency coding workflows. 39% of agencies are already running AI agents — Cursor, Claude Code, Windsurf — for complex, multi-step development tasks. 26% use design-to-code workflows.
Agentic coding is not a coming capability in this market. It is already standard for about two in five agencies. That creates a new security consideration: AI agents with broad system access introduce vectors that traditional endpoint security tools were not designed for — prompt injection, poisoned dependencies, unauthorized reads of environment files or credentials.
AI and automation as the force and the lever ahead
63% of agencies name AI and automation as the biggest force expected to reshape the WordPress agency segment over the next two to three years — nearly twice the share who name cybersecurity threats (36%), competition from DIY site builders (35%), or economic pressure (25%).
43% of agencies say improving efficiency through AI, automation, and better tooling is their top growth strategy for the coming year — ahead of expanding service offerings (39%), moving clients to recurring service plans (34%), and raising prices (33%).
37% of agencies feel prepared for the next two to three years. 24% feel underprepared. For those that act early, the window to build operational leverage before the rest of the market catches up is open now.
Scaling with intention in 2026
The findings across this report point to four consistent levers:
Standardize on infrastructure that scales. The move to self-managed VPS and dedicated servers at larger portfolios is a control story as much as an economics story. Agencies that run their own infrastructure can standardize security and performance across the portfolio instead of solving each site individually.
Automate the patching workload. Plugin and theme updates are the #1 security challenge and the largest ongoing time cost. Any automation that reduces manual touching of each site has compounding returns as the portfolio grows.
Apply AI where it creates operational leverage. Content and code generation are already well-served. The next wave is automation of maintenance, security, and monitoring workflows.
Build security for the AI agent era. Nearly two in five agencies are already running AI coding agents. Those agents need a security model that operates at the OS level, not the application layer.
The full 2026 State of WordPress Agencies report is free to download here: State of WordPress Agencies 2026 | Hosting, Security & AI Benchmarks
About the Research
The CloudLinux product portfolio addresses the pressures documented in this report directly. CloudLinux OS provides OS-level website isolation and server stability. Imunify360 delivers a six-layer security platform with a WordPress-tuned WAF that applies virtual patches without requiring manual plugin updates. AccelerateWP and MAx Cache automate WordPress performance optimization. Imunify for AI Agents intercepts OS-level activity from AI coding agents on developer machines and servers. Learn more:
