MySQL User Host Access Control Checklist

halfbrain_logo512adminJune 19, 2026
2 lượt xem

MySQL User Host Access Control Checklist

MySQL users are defined by username and host. The same username from localhost and from a remote IP can have different permissions. Understanding user@host is essential for secure database access.

Core principle

Database access is identity plus origin. A user is not only a name; it is a name from a host with specific grants.

Checklist

  1. List database users and host values.
  2. Identify application database user.
  3. Check whether users are localhost-only or remote.
  4. Remove wildcard host access when not needed.
  5. Check grants for each user@host.
  6. Confirm application config uses the intended user.
  7. Restrict remote database access with firewall rules.
  8. Rotate passwords for unknown users.
  9. Test application after access changes.
  10. Document database access map.

Reusable lesson

This applies to WordPress database users, remote apps, cloud database separation, staging environments, automation tools and least privilege design.

Checklist Type Security
Level Intermediate
Risk Level High Risk
Estimated Time 45–90 minutes

When to Use This Checklist

Use this checklist when hardening MySQL users, remote database access or application database credentials.

Required Tools

MySQL admin access, application config, firewall access, SSH access, password manager

Before You Start

Do not allow remote wildcard database access unless there is a clear architecture and firewall policy.

Structured Checklist Steps

  1. List users and hosts.
  2. Identify app user.
  3. Check localhost users.
  4. Check remote users.
  5. Review wildcard hosts.
  6. Check grants.
  7. Review firewall.
  8. Rotate unknown passwords.
  9. Test app.
  10. Document access map.

Verification Steps

  1. Application user is known.
  2. Remote access is intentional.
  3. Wildcard host access is removed or justified.
  4. Grants match least privilege.
  5. Application still connects successfully.
See also  Cloud Firewall and Security Group Checklist

Rollback Plan

If access tightening breaks the application, restore only the minimum required user@host grant instead of granting broad remote access.

Common Mistakes

  • Ignoring host part of MySQL users.
  • Using '%' wildcard unnecessarily.
  • Opening port 3306 publicly.
  • Using root for applications.
  • No database access inventory.

Related Commands

mysql -u root -p -e "SELECT user,host FROM mysql.user;"
mysql -u root -p -e "SHOW GRANTS FOR 'app_user'@'localhost';"
mysql -u root -p -e "SHOW GRANTS FOR 'app_user'@'%';"
sudo ss -tulpn | grep 3306
sudo ufw status numbered

Share:

Disclaimer: The guides, checklists, commands, and examples on HalfBrain.net are provided for educational and operational reference only. Server environments, hosting providers, software versions, security settings, and WordPress configurations can vary, so you should always review commands before running them on your own system. We do our best to keep the content accurate and useful, but we cannot guarantee that every command, configuration, or recommendation will fit every environment. Always back up your website, database, and server configuration before making changes. HalfBrain.net is not responsible for data loss, downtime, security incidents, misconfiguration, or other issues that may result from applying the information on this website. Use the material at your own discretion.

halfbrain_logo512
admin

HalfBrain.net is a practical field notebook for people who want to self-operate websites, VPS servers, Linux systems, Docker stacks, Nginx configurations, DNS records, SSL certificates, and AI automation workflows. Our goal is simple: turn messy infrastructure problems into clear, repeatable checklists, commands, and operating procedures. We focus on practical execution, not theory for theory’s sake.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related articles: