Best practices for securing MySQL databases

Databases are an essential component of modern software applications. A database refers to a structured assembly of information, commonly known as data, which is systematically arranged and stored electronically within a computer system.

Structured Query Language (SQL) is a powerful programming language used by nearly all relational databases to query, manipulate, and define data, and provide access control.
 
One of the most widely used relational database management systems (RDBMS) is MySQL, which was developed by the Oracle Corporation.

MySQL is an open-source relational database management system based on SQL. It uses SQL for managing and querying data and can be installed on a variety of platforms, including Linux, Windows, and macOS.

MySQL is a widely used RDBMS that requires proper security measures to ensure that it is not vulnerable to potential security threats. By following best practices for securing MySQL databases, we can safeguard sensitive data and prevent unauthorized access.

Enforce a secure password

MySQL allows us to apply password policies, requiring non-privileged users to set new passwords while entering their current passwords. A good password should be strong and include a mix of uppercase and lowercase letters, numbers, and special characters. Below is a command for enforcing a secure password in MySQL:

CREATE USER 'username'@'localhost' IDENTIFIED BY 'password';

The command is used in MySQL to create a new user with a specified name. The name given to the new user is 'username' and the user's password is 'password'.

This function protects your database from threats such as attackers who have compromised the host machine and are trying to access user database sessions with a web shell.


Secure MySQL in the cloud

If we run MySQL in a cloud environment, the cloud provider is likely to offer security services to protect our database. This includes securing the network, encrypting data, and using secure connections. For example, Azure lets us protect the open-source relational database using Microsoft Defender to detect anomalous behavior that may indicate malicious attempts to access the server. Amazon Web Services (AWS) offers AWS Shield to help secure applications and databases from a distributed denial of service attack.


Disable and delete your MySQL history

The MySQL history file is automatically created upon installation and stored in the default location of .mysql_history. It stores a history of all the commands executed on the server, including passwords and sensitive data.

Therefore, it is recommended that we disable and delete MySQL history. We can use the following command:

SET GLOBAL general_log = 'OFF';

This disables the MySQL general query log.

The reason for this is that the file contains a record of our MySQL installation and configuration history, including any passwords used, and can be exploited by malicious actors to gain unauthorized access to our database.


Modify port mapping

Port 3306 is the default port for the classic MySQL protocol (port), which is used by MySQL Connectors (a MySQL client), and utilities such as mysqldump and mysqlpump. Therefore, this port is commonly targeted by attackers. Changing this setting after installing MySQL can help to conceal the ports on which our critical services are running and avoid potential exploits. It is advisable to use a port that is not commonly used or easily guessable to make it more difficult for attackers to locate our database. By modifying the port mappings, we can reduce the risk of unauthorized access to our MySQL database.


Restrict or disable database visibility

We can restrict or disable database access and visibility of sensitive information to secure the MySQL database. This can be done by the use of the GRANT statement to grant access to a specific database.

GRANT ALL PRIVILEGES ON database_name.* TO 'username'@'localhost';

This grants the user username access to all privileges for the specified database database_name on the localhost.

Disabling this command can prevent unauthorized access attempts, which will enhance the overall security of our MySQL database.


Encrypt data at rest and in transit

It is important to ensure that data is encrypted both when it is at rest and in transit to improve the security of our database. By default, MySQL uses unencrypted communication between the server and client, which makes it vulnerable to interception by attackers in a man-in-the-middle (MitM) attack. Moreover, unencrypted user data stored in the database could potentially compromise the privacy and integrity of users.

To address this issue, we can implement TLS/SSL encryption to secure communication between the MySQL server and client over networks. Encryption within a protected network may not be necessary. Additionally, MySQL allows us to encrypt data at rest to safeguard stored data in the event of a server breach or unauthorized access. Encrypting data both in transit and at rest helps to ensure that sensitive information remains protected and confidential.

Free Resources

License: Creative Commons-Attribution NonCommercial-ShareAlike 4.0 (CC-BY-NC-SA 4.0)

Learn in-demand tech skills in half the time

PRODUCTS

Mock Interview

New

Courses

Skill Paths

Projects

Assessments

TRENDING TOPICS

Learn to Code

Tech Interview Prep

Generative AI

Data Science

Machine Learning

GitHub Students Scholarship

Early Access Courses

Blind 75

Layoffs

Pricing

For Individuals

Try for Free

Gift a Subscription

CONTRIBUTE

Become an Author

Become an Affiliate

Earn Referral Credits

RESOURCES

Blog

Cheatsheets

Webinars

Answers

ABOUT US

Our Team

Careers

Hiring

Frequently Asked Questions

Contact Us

Press

LEGAL

Privacy Policy

Cookie Policy

Terms of Service

Business Terms of Service

Data Processing Agreement

INTERVIEW PREP COURSES

Grokking the Modern System Design Interview

Grokking the Product Architecture Design Interview

Grokking the Coding Interview Patterns

Machine Learning System Design

Tiktok Streamline Icon: https://streamlinehq.com

Copyright ©2025 Educative, Inc. All rights reserved.

soc2