Since hacking is on the rise and we have seen in recent times many WordPress websites are getting hacked daily, it is very important to secure your websites with highly recommended WordPress security plugins and follow the best security practices. However, people give least importance to one particular WordPress security guideline, i.e., assigning minimum required privileges to the MySQL User for WordPress.
What if MySQL user is provided with full privileges?
If a malicious plugin which contains a back door or trojan software, or an SQL Injection happens that might destroy your database, if the full access to the MySQL WordPress database is provided. The malicious user can also modify the structure of the database and not just the data inside it. Imagine if the MySQL user used by WordPress has access to the shopping cart’s MySQL database which is integrated with your WordPress installation, the malicious user can steal your customer’s sensitive information!
Secure WordPress MySQL database with restricted privileges
For a normal operations of your WordPress website (such as writing posts, uploading media files, posting comments, creating new WordPress users and installing WordPress plugins) the MySQL user needs only DATA READ and DATA WRITE access to the database and doesn’t require any other privileges such as ALTER and DROP or any other type of administrator privileges.
How to provide DATA READ and DATA WRITE privileges only
Assign MySQL user privileges to WordPress Database using cPanel
Login to your cPanel and Navigate to Databases section. Under Databases section click on MySQL Databases. Now you need to add the user to the WordPress database. Navigate to the “Add a User to a Database” section and click Add. In the next screen select the the below list of permissions:
Once you check the required privileges, click on the Make Changes button to apply the privileges.
Assign the MySQL user privileges to WordPress Database using PHPMyAdmin
Login to the PHPMyAdmin, click on the WordPress Database on the left sidebar and then on the Privileges tab at the top menu and then click on the MySQL user mentioned in the configuration (wp-config.php) as shown in the below screenshot.
Click on Uncheck All and then check SELECT, INSERT, UPDATE and DELETE as shown below:
Assign MySQL user privileges to WordPress Database using MySQL Command line
If you are using MySQL Command line, you can use the below SQL syntax to assign DATA READ and DATA WRITE only privileges to the user which WordPress will be using to access the MySQL database.
mysql> GRANT SELECT, INSERT, UPDATE, DELETE on [Database].* TO '[mysql_user]'@'[Hostname]' IDENTIFIED BY '[PASSWORD]';
Secure WordPress database with privileges even after hacked!
WordPress administrators come to an illusion that, once the website is hacked, it is over. This is not true. First and the foremost is to limit the damage caused by hacker by restricting the WordPress database privileges. Then restoring the data in a WordPress database is easy from the reliable backups.
Security guidelines for WordPress MySQL Databases
Finally follow these best practices to secure your WordPress MySQL databases:
- Never use the MySQL Root user in WordPress installation
- Use separate MySQL user for different web applications
- Assign minimum required privileges to the MySQL User
- Limit the number of MySQL user who have administrative access to your WordPress site to a minimum
- Use a non predictable MySQL user
- Secure with very strong MySQL user password.
- Maintain reliable backups