MySQL Hardening: Your Guide to Securing Databases
A complete expert guide to securing production MySQL instances. Learn how to turn a standard installation into a digital fortress.
In an era of relentless SQL Injection attacks and data breaches, a default MySQL configuration is asking for trouble. Every administrator who values their data (and their sleep) must go through the hardening process. This is not an option — it's an obligation.
01. mysql_secure_installation
This is the first step after every installation. This script automates several key tasks that you would otherwise have to perform manually. It removes anonymous users, test databases, and disables remote login for the root account.
sudo mysql_secure_installation
02. Binding to Localhost
By default, MySQL may listen on all network interfaces. If your application and database are on the same server, MySQL should only listen on 127.0.0.1.
bind-address = 127.0.0.1
03. Disabling Remote Root Access
The root account should never be able to log in from an external IP address. Brute-force attacks are primarily aimed at this account. Always create dedicated users with restricted permissions for specific databases.
04. The Principle of Least Privilege
Your WordPress application or e-commerce shop doesn't need SUPER or GRANT OPTION privileges. Grant only what is necessary: SELECT, INSERT, UPDATE, DELETE.
GRANT SELECT, INSERT, UPDATE ON dbname.* TO 'app_user'@'localhost';
Expert Pro Tip
Always use TLS/SSL for remote connections if binding to localhost is not possible. Encrypting database traffic is the absolute standard in 2024.