Master DevOps Tools & Best Practices - DevOps Knowledge Hub Master DevOps Tools & Best Practices - DevOps Knowledge Hub

Top 7 MySQL Security Best Practices to Protect Your Database

Seven practical MySQL security checks for access control, network exposure, TLS, patching, logging, and encryption.

Top 7 MySQL Security Best Practices to Protect Your Database

MySQL security starts with reducing who can connect, what they can do, and what gets exposed if a host is compromised. The seven checks below give you a practical baseline for production databases without pretending that one setting can make MySQL "secure."

1. Secure User Access Management

Controlling who can access your database and what they can do is the first line of defense. This involves creating specific user accounts with the principle of least privilege, meaning users should only have the permissions necessary to perform their tasks.

Create Strong Accounts

Avoid shared application users and weak passwords. Use mysql_secure_installation on self-managed servers to remove anonymous users, remove the test database where applicable, and tighten the initial root account setup.

Grant Minimal Privileges

Use GRANT statements for the specific database, table, and actions your application needs. Avoid ALL PRIVILEGES for application accounts.

Example:

CREATE USER 'webapp_user'@'10.0.10.%' IDENTIFIED BY 'use-a-real-secret-here';

GRANT SELECT, INSERT, UPDATE ON mydatabase.* TO 'webapp_user'@'10.0.10.%';

You do not need FLUSH PRIVILEGES after normal CREATE USER or GRANT statements. MySQL updates the grant tables for those statements automatically.

Audit accounts regularly:

SELECT user, host, account_locked FROM mysql.user ORDER BY user, host;
SHOW GRANTS FOR 'webapp_user'@'10.0.10.%';

2. Restrict Network Access

Limit the network paths to MySQL. The effective default depends on your MySQL version and package, so inspect your running server instead of assuming it only listens locally.

Check listeners:

ss -ltnp | grep 3306

Bind MySQL to localhost when only local clients need access:

[mysqld]
bind-address = 127.0.0.1

If application servers connect remotely, bind to the private interface and use security groups, firewalls, or network ACLs to allow only those sources to port 3306.

3. Use TLS for Connections

Encrypting data in transit prevents eavesdropping and man-in-the-middle attacks. MySQL supports SSL/TLS encryption for client-server connections.

Server configuration commonly looks like this:

[mysqld]
ssl-ca=/path/to/ca.pem
ssl-cert=/path/to/server-cert.pem
ssl-key=/path/to/server-key.pem

Client example:

mysql -h your_host -u your_user -p --ssl-mode=REQUIRED

For stricter verification, use --ssl-mode=VERIFY_IDENTITY with a hostname that matches the certificate. REQUIRED encrypts the connection but does not verify the server identity as strongly.

4. Keep MySQL Updated

Software vulnerabilities are frequently discovered and patched. Running an outdated version of MySQL can expose your database to known exploits.

Track the release stream you run, apply security updates, and test upgrades in staging before production. If you use a managed database service, review the provider's maintenance policy and set a maintenance window that your team actually watches.

5. Harden the MySQL Server Configuration

Beyond network binding, several other configuration options can enhance security.

Disable local_infile unless your applications need LOAD DATA LOCAL INFILE:

[mysqld]
local_infile = 0

Keep configuration files, TLS keys, and backup credentials readable only by the appropriate system users. Also review installed plugins and remove ones you do not use.

6. Audit and Monitor Logs

Logging is crucial for detecting suspicious activity and for forensic analysis after a security incident.

MySQL Enterprise includes an audit log plugin. Community deployments often use operating system logs, error logs, proxy logs, cloud database audit features, or third-party audit plugins depending on your environment.

At minimum, monitor:

  • Failed logins and authentication errors.
  • New users, changed grants, and privileged statements.
  • Connections from unexpected hosts.
  • Backup job failures and restore test failures.

Do not leave the general query log enabled on a busy production server unless you have a specific short-term troubleshooting need. It can create heavy I/O and may capture sensitive query values.

7. Secure Data at Rest

While SSL/TLS protects data in transit, encrypting data at rest protects it if the underlying storage is compromised.

Use storage or volume encryption for the broad baseline. For sensitive fields, consider application-level encryption so the database does not hold everything needed to decrypt the data.

MySQL also has encryption functions such as AES_ENCRYPT() and AES_DECRYPT(), but do not hard-code keys in SQL or store them beside the data.

Simplified example:

UPDATE users
SET sensitive_data = AES_ENCRYPT('user_private_info', @encryption_key)
WHERE user_id = 1;

SELECT AES_DECRYPT(sensitive_data, @encryption_key)
FROM users
WHERE user_id = 1;

Use a proper key management process for real systems. Encryption without key rotation, access control, and backups of key material can turn a recoverable incident into permanent data loss.

Takeaway

Start with the controls that remove the most risk: least-privilege users, private network access, TLS, patching, and tested backups. Then add audit logging and encryption controls that match your compliance and threat model. Review the setup after every major schema, infrastructure, or access change.