I regularly read articles about security, particularly relating to CMS platforms such as WordPress with many pearls of wisdom and tips on how to tighten security.

However one item that I rarely see mentioned is the subject of database security. Applications such as WordPress store information including posts, comments and pages in a MySQL database, making it a common target for hackers. Try Googling “SQL injection attack” and you’ll get the idea!

There’s one mistake that many blog owners make that I regularly encounter and it’s really easy to avoid this mistake!

When you set up your database(s) via your hosting account control panel (cpanel), you grant users access to the database and assign the level of access. Hosts often refer to these differing permissions generically as follows:-

  • Read only – as it suggests, records can be accessed but not altered.
  • Read/Write – records can be accessed and altered.
  • DBA (database administrator) has unlimited access to the database and can do whatever they want, including deleting the entire database.

The following table shows a list of privileges available:-

MySQL Database privileges

MySQL Database privileges

When first installing a script such as WordPress, you need to grant the user a high level of access so that they have the required access for the tables to be created etc. The mistake that I regularly see is that these permissions are not reduced leaving the database wide open for attack. Also if you’re using your host’s automated WordPress install via an avenue such as Fantastico, this usually grants all permissions to the database user!

Always ensure you reduce the permissions, blocking the database user from carrying out these sorts of actions – grant, lock tables, drop, alter, execute, create. However keep in mind when installing WordPress plugins that they may need to create tables in your database, requiring a temporary elevation of database privileges.

Tagged with:

Filed under: Wordpress