← Back to MySQL Mastery
Advanced18 min read

Security

Harden MySQL with secure accounts, TLS, network controls, and encryption.

User Accounts

Remove anonymous users and test databases on new installations. Disable remote root login; use SSH tunnels or private networks for administrative access.

Enforce strong passwords and consider LDAP or PAM authentication integration for enterprise environments.

ALTER USER 'root'@'localhost' IDENTIFIED BY 'new-strong-password';
DROP USER IF EXISTS ''@'localhost';

Password Security

Use caching_sha2_password for modern clients. Store application passwords in vaults, not repositories. Rotate credentials on employee departure and suspected compromise.

Failed login monitoring and connection rate limiting (connection_control plugin) mitigate brute force attacks on exposed instances.

  • Never commit .env files with database passwords
  • Use IAM database authentication on AWS RDS where available
  • Audit mysql.user and role assignments monthly

Network Security

Bind mysqld to private interfaces; expose only through application subnets via security groups. Require TLS for connections crossing untrusted networks.

Disable LOCAL INFILE if not needed to prevent data exfiltration via LOAD DATA. Use skip-name-resolve to avoid DNS-based delays and spoofing concerns.

require_secure_transport = ON
ssl_ca = /etc/mysql/ca.pem
ssl_cert = /etc/mysql/server-cert.pem
ssl_key = /etc/mysql/server-key.pem

Data Encryption

TLS encrypts data in transit. InnoDB tablespace encryption encrypts data at rest with keys from KMS or local keyring. Application-level encryption protects especially sensitive columns even from DBAs.

Mask PII in non-production environments. Limit SELECT access to sensitive tables through views and column-level grants where feasible.

  • Enable audit plugin or MariaDB audit for compliance trails
  • Encrypt backups before offsite storage
  • Review DEFINER views that bypass row-level restrictions

Security Checklist

Patch MySQL promptly for CVEs. Run vulnerability scans against database hosts. Principle of least privilege for every account.

Include database security in penetration tests—SQL injection in apps remains the primary application-layer threat vector.

-- Verify SSL in use
SHOW STATUS LIKE 'Ssl_cipher';

Get In Touch

Ready to discuss your next project? Drop me a message.