Essential MySQL Security Checklist: 14 Steps to Harden Your Database

1. Restrict MySQL Access to Specific Hosts

Do not expose MySQL to the Internet; grant privileges only to trusted hosts. The example GRANT ALL ON *.* TO 'root'@'%'; opens root to any host, while GRANT ALL ON *.* TO 'root'@'localhost'; limits access to the local machine. You can also grant to a fixed IP address and then run FLUSH PRIVILEGES; to apply changes.

2. Perform Regular Backups

Backups protect against data loss from crashes, intrusion, or accidental deletion. Schedule daily or weekly dumps and store them securely so the system can be restored quickly after a disaster.

3. Disable or Restrict Remote Connections

Use TCP wrappers, iptables, or firewall rules, and add skip-networking or bind-address=127.0.0.1 in the [mysqld] section of my.cnf (or my.ini) to prevent MySQL from listening on external interfaces.

4. Set a Strong Root Password and Rename the Root Account

Change the default empty root password:

SET PASSWORD FOR 'root'@'localhost' = PASSWORD('new_password');

Or use mysqladmin -u root password new_password. Rename the root user to avoid targeted attacks:

USE mysql;
UPDATE user SET user='another_username' WHERE user='root';
FLUSH PRIVILEGES;

5. Remove the Test Database

Delete the default test database that anonymous users can access:

DROP DATABASE test;

6. Disable LOCAL INFILE

Prevent the LOAD DATA LOCAL INFILE command, which can be abused to read arbitrary files, by adding set-variable=local-infile=0 to my.cnf under [mysqld].

7. Remove Anonymous and Unused Accounts

Check for empty‑user accounts: SELECT * FROM mysql.user WHERE user=''; Drop them with: DROP USER ''@'localhost'; On older versions use:

USE mysql;
DELETE FROM user WHERE user='';
FLUSH PRIVILEGES;

8. Reduce System Privileges

Ensure the MySQL data directory and binaries are owned by the mysql user and group, and that only root and mysql can read/write them.

9. Limit Database User Privileges

Grant only the permissions required for an application. Example:

GRANT SELECT ON billing.dianshang TO 'user1'@'localhost';
FLUSH PRIVILEGES;

Revoke unnecessary rights with REVOKE.

10. Remove or Disable the .mysql_history File

Prevent command history from being stored in ~/.mysql_history by redirecting it to /dev/null and deleting the file:

export MYSQL_HISTFILE=/dev/null
rm ~/.mysql_history
ln -s /dev/null ~/.mysql_history

11. Apply Security Patches

Keep MySQL up to date to avoid known vulnerabilities.

12. Enable Logging

Activate general query logging by adding log=/var/log/mylogfile to the [mysqld] section of my.cnf. Restrict log file access to root and mysql only.

13. Use chroot to Isolate MySQL

Run MySQL inside a chroot jail (e.g., /chroot/mysql) and adjust the client socket path accordingly.

14. Disable LOCAL INFILE (Repeated for Emphasis)

Again, add set-variable=local-infile=0 to the configuration to block the dangerous command.