Welcome to Press This, the WordPress community podcast from WMR. Each episode features guests from around the community and discussions of the largest issues facing WordPress developers. The following is a transcription of the original recording.
Powered by RedCircle
Doc Pop: You’re listening to Press This, a WordPress Community Podcast on WMR. Each week we spotlight members of the WordPress community. I’m your host, Doc Pop. I support the WordPress community through my role at WP Engine, and my contributions over on TorqueMag.Io where I get to do podcasts and draw cartoons and tutorial videos. Check that out.
As an agency or plugin developer, there are many times when running customer support could be made so much easier if you had access to your customer’s dashboard. But there’s obviously a lot of concerning issues about asking for that sort of access and how it could be done.
That’s why today we’re gonna be talking with Zack Katz. The founder of GravityKit and TrustedLogin. TrustedLogin is a new tool which allows temporary and encrypted access to be shared between customers and support teams, and I’m super excited to talk to him about that for this episode. Zack, you’ve been in the WordPress game for as long as I’ve known.
How did you get into WordPress?
Zack Katz: I started as a web designer and Developer and I started off doing some really janky solutions to allow my clients to edit their own content. And I landed on the old Trinity of; Drupal, Joomla or WordPress. And Drupal was still in beta. Joomla was as confusing as it remains today, and WordPress was an up and comer at like 2.5 I think was the version I started with.
And it was a clear winner and I fell in love and it really has been, what I’ve been developing on top of ever since
Doc Pop: When was WordPress 2.5. What era is this?
Zack Katz: 2007.
Doc Pop: Okay. So you’ve seen some stuff and you’ve been as part of that dealing with customers and support for a long time, and I imagine with your current company now, GravityKit, y’all have grown. First off, why don’t you tell us about GravityKit and then we can talk about TrustedLogin.
Zack Katz: GravityKit, we make applications that go on top of GravityForms. So GravityForms gathers the data that you want to use for your business and GravityKit allows you to build out powerful no-code applications on top of that. So with GravityView, you can display the data with GravityCharts, you can chart the data and et cetera.
And you can do really cool, powerful things with it.
Doc Pop: And as I’ve mentioned before at the top of the show, you have a new tool now called TrustedLogin. It’s a add-on kit that a Developer can add to their Plugin. I’m sure there’s other ways that can be done. How did you first come to need this tool?
And then you can tell us about like what TrustedLogin is.
Zack Katz: So for plugin developers, any plugindevelopers out there, or theme developers, you’ll know that it’s a lot easier to figure out what’s going on with the website if you have access to that website. And the way to do that in the past has been that you ask for admin access. So you can log in and check things out.
But the problem with admin access is that you have access to everything. And every time I asked for admin access, I would kind of, a little part of me inside would be saying, Zack, this is a really bad idea. This is a easy way for a single point of failure. Like if somebody hacks your email, then they’ll have access to everything.
And that’s true. The gates are open when you have administrator access to a website and as a plugin developer and a business owner, I didn’t want to be on the hook. It didn’t seem safe for the business, but it also wasn’t respectful of the company of my customers because I wanted to limit their exposure to any security issues, not just me, but like the people that I work with.
I didn’t want any of our devices being compromised, bringing down any of their sites. So I thought about different options there are out there forWordPress developers. There are temporary link passwords where you get a temporary link to login to a website. That link becomes the password. So if somebody emails you that link, it’s the same as you having their email and their password.
It makes it easy to share access, but it doesn’t solve the problem of passing around credentials that are potentially insecure.
Doc Pop: Mm-hmm.
Zack Katz: So, I was using Codeable one day and I saw that they had an encrypted vault, and I thought that was really neat.
So like while you’re chatting with your Codeable.io developer, you have an encrypted vault where you can keep your secrets and it encrypts it and decrypts it and it works really easily. And I thought to myself that it must be possible to encrypt a key that I could use and my customers could share, and that key, using some public encryption handshaking, could be secure from start to end.
And that it would be a secure way of granting access that would be publicly shareable because it’s not a password. So I started working on the concept and hired somebody from Codeable to develop it. And from there we’ve iterated on it. We’ve been working on it for a long time now, but we’ve been using it internally with GravityView and GravityKit now.
And we use it every day and it saves the support team a ton of time and customers love it. You just click a button, it generates a passkey, they share that with us. And coming out in the next week or two, hey’ll click a button and it’ll automatically do a web hook to Zapier that will post information about their website.
The site health report automatically gets added to help scout our help desk program. And so we’ll not even have to ask them to copy and paste their site health report if they opt into that.
Doc Pop: Mm-hmm.
From the user’s point of view, do they see that they’re giving you dashboard access or is it just like a button that says, click here to connect to support?
Zack Katz: That’s another thing that I’ve been seeing on some different plugins. Some plugins do this themselves. They create the account and just kind of email themselves a new account email because that’s one way you could go. You could just say when people click a button, just generate an account and set us the login information. That’s very easy.
With TrustedLogin, one of the primary goals I had was clarity and to make it clear to the customer what they’re giving for how long to whom, like what it means. So we give them a summary page when they’re granting access that says, “A user account is going to be created with this role, based on this role.”
Developers have an opportunity to base something on a role or actually have it be the role. So if you have a customization, you can say based on Editor, but they also have access to this Custom post type. So any customizations to a role can be displayed to the customer.
The amount of time that the login will be granted is displayed and will soon be customizable. So it says within one week they’ll be granted access. It shows the logo of the company who’s integrating with TrustedLogin. It shows information about TrustedLogin itself. It says if you don’t feel comfortable about this, click to go to the plugin developer’s website itself and ask for support.
So we give all sorts of different ways of saying, here’s what’s happening, here’s why it’s happening, here’s why we need the access that we need, and here’s a way out if you don’t want to deal with this, you just want to go to the developer’s website. That’s an option.
Doc Pop: There’s different types of roles in WordPress, there’s super admin, admin, editor, author, contributor, what are we doing here? Is it editor that we’re giving access to through TrustedLogin? Or is it even some sort of specific thing that’s not actually one of those traditional roles?
Zack Katz: By default we have it be that the developer themselves chooses what the role will be that will be customized or used for the TrustedLogin access. We do have some capabilities that are disabled, which is deleting other people’s users so that you can’t get access and delete people’s user accounts.
You escalate your own account to a higher level. We’re going to be adding the ability for people to request escalation and have that email the site administrator and the administrator can allow for that. But we didn’t want people to get access and to be able to hijack the site by escalating it.
So there are some restricted capabilities that are not granted whenever a TrustedLogin access has been granted.
Doc Pop: I think there’s been a number of times where I’m on Mastodon on chatting with a friend or whatever, you know, just talking about like a WordPress problem. And then I’ll get a DM from someone who I trust and they’ll be like, “yo, I can fix that just create an admin role for me or whatever.”
I have just ignored those I think I know a bit about WordPress, but just the fundamental thing of like when to grant access to people who wanna help you out or whatever. I just haven’t figured that out emotionally.
Do you have any advice, like, just in general, like when someone says, “Hey, can you make me an admin and I’ll, and I’ll fix that for you?”
If you trust that person and if they’re like good in the community or whatever, is that still a bad idea or is that like a totally normal thing to do?
Zack Katz: It’s up to each individual to figure out their level of comfort with that. I think if you know the person, and I wouldn’t send anything on a Twitter DM, I would go to the Share a secret website and encrypt it and send it to them and have them decrypt it, like that’s the way to go.
I don’t like sharing plain text passwords. It’s just not a good idea.
Doc Pop: Yeah.
Zack Katz: But at some level you have to trust somebody, there’s zero trust stuff. But like, I don’t know. If you know somebody and they’re offering to help you, I would say make it a little easier then saying, I can give you subscriber access to my site.
Doc Pop: That’s a good spot for us to take a break. Here we’re chatting with Zack Katz from TrustedLogin and GravityKit. When we come back, we’re gonna talk about how to build trust with your customers through encryption, through whatever means that you need to do to make them feel safe. So stay tuned for more Press This.
Doc Pop: Welcome back to Press This, a WordPress Community podcast on WMR. My name is Doc and I’m chatting with Zack Katz, the founder of TrustedLogin and GravityKit. Beginning of the show we talked about this new tool TrustedLogin and how it’s an easy way for a support team to get the access that they might need to make a quick problem go away.
And how TrustedLogin kind of fixes this issue that’s been around this issue that Zack has run into. And I told him that I personally had been kind of trying to figure out when is a good time to use something like this. And that kind of brings us to what you were saying, Zack, about if you are gonna share credentials, you definitely wanna be secure with it.
And obviously we’re talking about if I’m chatting with someone on Twitter or Mastodon how I would kind of do it. But I think what you’re doing is a whole other level of encryption. Can you tell us about how y’all are protecting this information. And how long you keep it and if you store any personal information while you do it.
Zack Katz: Sure. When a user grants access to their website, it gets encrypted and sent directly to TrustedLogin and it’s stored there, encrypted. And the one thing that’s not encrypted is the URL of their website.
And that allows us to find it a little easier on the support side. Everything else is encrypted. If it were to be hacked and everything downloaded, it wouldn’t matter because there’s a private key that’s generated on the client site. So that we can’t read anything that goes and gets stored on our service.
Then when a support representative logs in the support representative is given a key that the customer gives to the support, we enter that key as support representative ask TrustedLogin, “Hey, do you have anything that matches this key?” That key gets encrypted and then searched for the encrypted key, and then the login all happens.
The nice thing is is that the support representative never has access to any of that encrypted data. It all goes through TrustedLogin. TrustedLogin, doesn’t know anything about the client site. It’s all encrypted. All the handshaking only allows the most limited amount visible to each representative at any specific time so that it’s as secure as it can possibly be.
Doc Pop: Did we mention the temporary credentials?
Zack Katz: So there’s a whole nother level of security on top of the TrustedLogin, like encryption stuff. Anytime the representative, the support representative, tries to login to the client site, the client site then asks, TrustedLogin one more time before granting access, is this key still valid?
Is the request valid? Is the person allowed and the client site, checks all that stuff before. Then the client site also says, is the time that’s passed within the window of access that I’ve granted, so it is an expired request. And if the request is expired, the login is rejected.
So requests automatically time out, it’s very secure. It’s publicly shareable as a key. I feel like we’ve found a really nice balance, because with every kind of encryption and security issue, there’s always a balance between convenience and security. And I think we’ve found a really nice mix of that, where it’s still really convenient and it’s still really secure, but it’s not too secure to be inconvenient.
Doc Pop: Mm-hmm. And you said there’s transparency is a big focus for you, which I appreciate, communicating to users what they’re giving permission to, and then also flagging site admins if a role needs to be escalated, so that some lowly contributor can’t accidentally grant too much access to a site. Is that right?
Zack Katz: Yeah, the only way that our grant access screen is visible is if you have the ability to create users. We don’t want people who don’t have that capability to be doing this because you’re creating a user in the backend.
Doc Pop: As a WordPress-er who has sometimes reached out to customer support for various plugins. I’m not really sure what’s happening oftentimes on their end. Is there a suite of tools that a lot of plugins tend to use kind of frequently for like, handling customer support that I wouldn’t even see as a customer.
Zack Katz: I think there’s a really high usage of Help Scout in the WordPress plugin community. It’s a help desk where it’s kind of like your email inbox, but it has triage tools and auto-responders and saved replies and integration with some documentation, search and stuff.
So I think Help Scout is one of the more popular sites that’s used by WordPress developers.
Doc Pop: Is Help Scout, is that TrustedLogin compatible?
Zack Katz: So, while if you were to email GravityKit support and say, Hey, I need some help. TrustedLogin widget in Help Scout that we have developed will automatically show whether or not access has been granted for a site. And so while a while a support representative is using Help Scout.
They’ll see, Hey, I can just click to gain access to the site. Click it redirects to their own website, so like GravityKit.com, and then GravityKit.com does the authorization check with TrustedLogin and redirects the customer’s site automatically. So while we’re providing support, if somebody’s already granted access, you can just click one click and into the customer’s website all securely.
Doc Pop: And I think I’ve focused a lot on plugin developers, maybe using this as an add-on. You mentioned that theme developers could use this. Is this also something that like an agency if they built a site for a client, is there a way that they could kind of integrate TrustedLogin into their workflow as well?
Zack Katz: Absolutely. Yeah. I think that agencies don’t always want permanent access to a client’s site for the liability purposes, but also they like to hand it off sometimes and not be permanently involved.
If a client then wants to have them make changes they can grant TrustedLogin access. We have a standalone plugin that is only trusted log and it doesn’t integrate with another existing plugin or theme, so you can just install TrustedLogin plugin when you set up a website and then whenever the client needs to grant access, they can click grant access and you have access for a specific amount of time. So it’s great for agencies as well. Granting temporary access to the site.
Doc Pop: That is a cool workflow because I kept thinking of it as something that you just build into the plugin, and just have it in there. But having it as a standalone plugin, that makes a lot of sense as well. And I hadn’t really heard about, I guess an agency wanting to kind of be able to remove themselves from a project like that, that’s pretty cool.
That makes sense that sometimes an agency might just wanna build a site for you and it’s up to you to take care of it, and you can’t blame them if something goes wrong later. It’s kind of like in your hands. But if they ever do need to get back in, if they’re billing hourly or if they realize they made a mistake or something, if they ever need that access back in.
This is a way for them to be able to do that, right?
Zack Katz: Yeah. And one of the things we’re building out currently is the audit log functionality. Where for web hosting companies, for example anytime that somebody uses TrustedLogin, we have been logging it forever in the backend, whenever a request is granted so that we can make sure that we have an audit.
But for agencies, they might wanna say, this is when we were logging in, this is, when access was revoked. So they have a way thing they can refer to and say, this is, you know, confirmed. This is known for security purposes, but also for hour logging. Yeah.
Doc Pop: I think there’s another good spot for us to take a quick break. When we come back we’re gonna continue our conversation with Zack Katz, the founder of TrustedLogin and GravityKit. So stay tuned.
Doc Pop: Welcome back to Press This, a WordPress Community Podcast on WMR. My name’s Doc. I’m chatting with Zack Katz, the founder of TrustedLogin and GravityKit. Zack, earlier on the show you mentioned I believe, an upcoming feature in TrustedLogin where you will be able to access Site Health status more easily.
And I don’t know what Site Health Status is on my end. I’m hoping you can explain just a little bit about that tool and how a company like yours, how a support team might benefit from having access to Site Health.
Zack Katz: Sure. So when you’re doing triage for a bug and somebody says this isn’t working, there are a lot of easy questions that could be answered with the site health report on WordPress. Under tools, there’s a sub menu called Site Health, and that includes things like what version of PHP, what theme are you running, what other plugins are running.
A whole host of issues can be resolved by knowing the time zone, knowing the language and all that information you normally have to do another round trip of customer support and say, “That sounds like a bug. Sounds like something we need to know more information about the site about. Can you share that by copying this information from the Site Health dashboard and pasting it into an email and replying to us?”
Well now with TrustedLogin coming out this next week actually, there’s a checkbox that says send a Site Health report. And if they check that box when they’re granting access, it’ll automatically send all that information to us and it will be just attached to the existing ticket. And it’s gonna be so nice for our customer support team cause they won’t have to ask that round trip question.
And that saves everybody time, including support, saves the cost per support request if that were a metric that we kept track of. And it saves time for the customer who can get their bugs fixed faster and their questions answered faster.
Doc Pop: So I guess the final thing that’s coming to my mind is, as someone who’s working on TrustedLogin, how are you building that confidence with the developers and agencies to try to integrate your product into their system? It sounds like you put a lot of thought into encryption and just being very mindful of how you handle people’s data.
How are you making that marketing pitch to your potential customers?
Zack Katz: I’m starting with people that I know first. uh, they know me, I know them. I know that they have this problem with their customer support flow that we all have in the industry. And so I’m starting with relationships that are already in existence and hopefully from there people can say, oh, this plugin that I use, this company that I trust, they’re integrating with TrustedLogin.
And I can build the message that way. Because it is kind of a complicated story to tell. Integrate with TrustedLogin and granting access to your site is easier, but there are multiple customers with TrustedLogin. There’s the end user and there’s the developer, the Plugin vendor.
And we’re really a product for both. So it’s hard to properly communicate that sometimes.
Doc Pop: But it sounds like you’re gonna overcome it. Have you found any, any troubles so far
Zack Katz: Because it’s a software development kit that needs to be integrated with a plugin, it can be complicated to get set up and running. But we are working with Josh Pollock, with Plugin Machine so that we can have built a customized file that’s downloadable and easily installed standalone from composer installations, which is a developer thing that can get complicated quickly.
We’re just gonna make it so you can download a zip, unzip it, drop a line in your plugin, and it’s up and running. So we’re working on making it simpler from a Developer side. It’s already, I think, pretty good for an advanced developer, but it’s also not as good for an intermediate developer at the moment.
Doc Pop: So if folks want to learn more about TrustedLogin, if they wanna maybe sign up to test it out, is there a good place to send them for that?
Zack Katz: Yeah, go to TrustedLogin.com and read all about it. Sign up for a mailing list. We’re gonna be sending out updates. And yeah, please express your interest, get in touch with me on Mastodon and ask questions cuz uh, I’d love to talk about it.
Doc Pop: Well, Zack, thanks so much for joining us today on Press This a WordPress Community Podcast. It’s been really fun chatting with you and hearing about kind of the issues that developers and theme makers and agencies might have that I haven’t thought of, even though I’ve probably pinged them. I’ve probably dealt with some of these issues before without even realizing it.
TrustedLogin sounds awesome. And if people want to follow Zack, you can do so on mastodon.social/@ZackKatz. I highly recommend it.
Doc Pop: Good plug. Thanks for listening to Press This, a WordPress community podcast on WMR. Once again, my name’s Doc and you can follow my adventures with Torque magazine over on Twitter @thetorquemag or you can go to torquemag.io where we contribute tutorials and videos and interviews like this every day. So check out torquemag.io or follow us on Twitter. You can subscribe to Press This on Red Circle, iTunes, Spotify, or you can download it directly at wmr.fm each week. I’m your host Doctor Popular I support the WordPress community through my role at WP Engine. And I love to spotlight members of the community each and every week on Press This.