Log in
Free Trial
Strengthening MySQL with Security Checks

MySQL Security Checks

Written By ROMAN AGABEKOV | MAY 05, 2024

Last update | MAY 17, 2025

Databases power everything from e-commerce platforms to mobile apps, making their security a top priority. Effective security measures help prevent unauthorized access and stave off data breaches, which could have serious legal repercussions and damage a company's reputation. Regular security checks are essential for upholding the integrity and safety of databases by enforcing security protocols, identifying vulnerabilities, and proactively enhancing security.

MySQL Security Check Categories

To maintain a secure and robust MySQL database environment, it’s important to use the built-in MySQL security parameters with the correct settings. Each category listed below focuses on a specific area of security to protect data integrity, prevent unauthorized access, and ensure that the database operates within the security best practices framework:
Authentication and Access Control
This category focuses on mechanisms that control and verify access to the database system so that only authorized users and processes can interact with the database content. When effective, this acts as the first line of defense against unauthorized access.

  • Skip Grant Tables
  • Strict SQL Mode
User and Privilege Management
Proper management of user accounts and their privileges guarantees that only authorized users have the appropriate access levels. This category helps prevent excessive privileges that could lead to data leaks or unauthorized database changes.

  • Automatically Creating User
  • Validated Password Plugin
Configuration and Maintenance
This category assesses how databases are configured and maintained, which is essential for protecting the database environment from both internal misconfigurations and external threats.

  • Symbolic Link Support
  • Test Database Existence
Network and Connection Security
Network security settings control how the database interacts with other systems and manages incoming and outgoing network traffic. Properly configured settings prevent malicious access while ensuring that the database can efficiently process legitimate requests.

  • MySQL Bind Address

Security Checks

Security checks can be leveraged to verify that your database adheres to top security standards. They offer a systematic approach to identifying potential vulnerabilities within your database settings, helping to fine-tune your database configuration to block unauthorized access and safeguard data integrity. By routinely conducting these assessments, you can pinpoint and mitigate security risks early.

1. Skip Grant Tables

The Skip Grant Tables (--skip-grant-tables) setting is a security feature in MySQL that controls whether the server enforces its privilege system at startup. Activating this option means the server entirely bypasses the grant tables – effectively disabling all authentication mechanisms.

This leaves the database completely open, allowing anyone with server access to connect and manipulate databases freely. While this may be useful for recovery operations, it poses a significant security risk during regular usage.
How to Check if skip-grant-tables is Enabled
To determine if your MySQL server is running with this risky setup, use the following command:
SHOW VARIABLES LIKE 'skip_grant_tables';
Interpreting the Results
  • PASSED – If skip-grant-tables value is OFF/Empty.
Recommended Solution
The best practice is that the MySQL database does not start with the --skip-grant-tables option unless absolutely necessary for recovery purposes. Make sure this option is not included in your MySQL configuration files or startup scripts.

2. Strict SQL Mode

Strict SQL Mode (sql_mode) governs how the server processes invalid or missing values in data modification statements like INSERT or UPDATE. When activating this mode, MySQL actively rejects errors or improper value adjustments. This setting can prevent data corruption and avoid unexpected operational behaviors.
How to Check if STRICT_ALL_TABLES is Enabled
To determine whether your MySQL server is running in Strict SQL Mode, you can examine the current configuration with this SQL command:
SHOW VARIABLES LIKE 'sql_mode';
Interpreting the Results
PASSED – If STRICT_ALL_TABLES is found within sql_mode.
Recommended Solution
To best secure and manage your database, it's recommended to enable Strict SQL Mode for all operations. You can do this by adding STRICT_ALL_TABLES to your MySQL configuration. Update your configuration file (my.cnf or my.ini) with the following line:
sql_mode=STRICT_ALL_TABLES
Or, you can set this mode dynamically using:
SET GLOBAL sql_mode='STRICT_ALL_TABLES';

3. Automatically Creating a User

In earlier versions of MySQL, particularly before 8.0.11, a critical security setting known as NO_AUTO_CREATE_USER was available. This setting falls under the SQL mode options and is key for controlling how new user accounts are created.

When enabled, it prevents the GRANT statement from automatically creating a user unless explicit authentication details, such as a password or an authentication plugin, are specified. This feature is deprecated in newer versions of MySQL, meaning it's automatically set to prevent auto-creation without requiring explicit inclusion in the SQL mode.
How to Check if NO_AUTO_CREATE_USER is Enabled
If you are using an older version of MySQL (<8.0.11), you can run the following command to view your current SQL mode settings:
SHOW VARIABLES LIKE 'sql_mode';
Look for NO_AUTO_CREATE_USER in the output. The presence of this setting will indicate whether the security measure is actively enforced.
Interpreting the Results
  • PASSED – If NO_AUTO_CREATE_USER is found within sql_mode.
Recommended Solution
For versions of MySQL where NO_AUTO_CREATE_USER is applicable (prior to 8.0.11), it is recommended to enforce this setting. You can add NO_AUTO_CREATE_USER to the SQL mode settings in your MySQL configuration file or dynamically with the following command:
SET GLOBAL sql_mode=(SELECT CONCAT(@@sql_mode,',NO_AUTO_CREATE_USER'));
Now, any attempt to create a user via the GRANT statement without explicit authentication details will be blocked.

4. Symbolic Link Support

The Symbolic Link Support (have_symlink) setting determines whether symbolic links can be used to reference tables. Enabled through the have_symlink system variable, this feature permits tables to be symbolically linked to files or directories outside the default data directory. Although useful for specific data management and migration strategies, enabling symbolic links can increase the risk of unauthorized database access and data manipulation.
How to Check if have_symlink is Enabled
To check if your MySQL server allows symbolic links:
SHOW VARIABLES LIKE 'have_symlink';
Interpreting the Results
  • PASSED – If the value of have_symlink is NO.
Recommended Solution
Disabling symbolic link support is generally advised unless it's necessary for a specific, securely managed use case. Turning off this feature helps protect your database from external manipulations that could compromise data integrity.

To disable symbolic links, update the have_symlink setting to NO, either within your MySQL session or permanently in your configuration file. For example, to disable dynamically:
SET GLOBAL have_symlink = 'NO';

5. Test Database Existence

When setting up MySQL, particularly on production servers, it's essential to double-check for the presence of the default 'test' database. This database comes standard with every MySQL installation and is open to everyone, including anonymous users, which is a major security red flag. It shouldn’t be left accessible.
How to Check if the Test Database Exists
To determine whether the 'test' database still exists on your MySQL server, run the following SQL command:
SHOW DATABASES LIKE 'test';
Interpreting the Results
PASSED – If the value is NO for a test database.
Recommended Solution
The safest approach is to remove the 'test' database unless it serves a specific, harmless purpose in a secure environment. Executing this command deletes the 'test' database:

DROP DATABASE test;

6. MySQL Bind Address

The ‘MySQL is bound all interface’ setting, officially known as the bind_address configuration, determines how MySQL handles incoming TCP/IP connections. By default, this setting may allow MySQL to accept connections on all IPv4 interfaces available to the server, which can expose your database to potential external threats.
How to Check the Bind Address Configuration
To check how your MySQL server is configured in terms of network accessibility, you can inspect the current bind_address setting with the following SQL command:
SHOW VARIABLES LIKE 'bind_address';
This command will display the IP address or addresses on which MySQL is set to listen for incoming connections.
Interpreting the Results
  • FAILED - if value is '0.0.0.0' or '::'
  • PASSED - otherwise or If the result shows a specific IP address or 127.0.0.1 (localhost) or empty
Recommended Solution
Configure the bind_address to either a specific IP address that requires remote access or 127.0.0.1 if only local access is needed. This change restricts server access to intended users and reduces the risk of attacks. Update your MySQL configuration file (my.cnf or my.ini) with the appropriate line:

bind_address = 192.168.1.100  # Example specific IP address

OR

bind_address = 127.0.0.1  # Restrict to localhost

To apply these changes, restart your MySQL server. Adjusting the bind_address limits your database's exposure to the Internet and is a critical step in securing your MySQL environment against unauthorized network access.

7. Password Complexity

Password validation is key to verifying that all database passwords meet specific security standards, which significantly enhances the system's defense against brute-force attacks. This setting is managed through the password validation plugin, which enforces rules related to password complexity, such as length, character variety, and case sensitivity.
How to Check Password Validation Plugin Configuration
To check if your MySQL server has the password validation plugin enabled and properly configured, you can use the following SQL command:
SHOW VARIABLES LIKE 'validate_password%';
This command will display the current configuration of the password validation settings, allowing you to verify if the plugin is active and configured according to security best practices.
Interpreting the Results
The configuration of the password validation plugin is indicated by several values:
For MySQL PASSED:
  • validate_password_length ≥ 14
  • validate_password_check_user_name = ON
  • validate_password_policy = STRONG

For MariaDB PASSED:
  • simple_password_check_minimal_length ≥ 14
  • simple_password_check_digits ≥ 1
  • simple_password_check_letters_same_case ≥ 1
  • simple_password_check_other_characters ≥ 1
Recommended Solution
To maximize security, it's recommended that the password validation plugin be enabled and configured with strong settings:

  1. Enable the Plugin – Check that the plugin is activated by including it in your MySQL server's configuration:

INSTALL PLUGIN validate_password SONAME 'validate_password.so';

2.Configure Password Policies – Set the desired password validation policies by adding the following lines to your MySQL configuration file (my.cnf or my.ini):

validate_password.policy=STRONG
validate_password.length=14
validate_password.mixed_case_count=1
validate_password.number_count=1
validate_password.special_char_count=1
validate_password.check_user_name=ON

These settings require passwords to be at least 14 characters long, include mixed-case letters, numbers, and special characters, and prevent the use of the username within the password. By implementing these security measures, you ensure that all passwords used in your MySQL environment are strong.

For additional details on setting up and configuring the password validation plugin, you can refer to the MySQL documentation:


And for MariaDB users:

8. MySQL Anonymous Users Existence

By default, MySQL installations may include anonymous user accounts - accounts with an empty username (''). These accounts allow connections without specifying a username or password, posing significant security risks. Such accounts can inadvertently grant access to unauthorized users, especially if they have associated privileges or if the test database is present. It’s crucial to identify and remove these accounts in production environments to prevent unauthorized access.
How to Check if Anonymous Users Exists
To identify anonymous users, execute the following SQL query:
SELECT CONCAT(QUOTE(user), '\@', QUOTE(host)) 
FROM mysql.user 
WHERE (TRIM(USER) = '' OR USER IS NULL);
Interpreting the Results
PASSED - No rows are returned, indicating no anonymous user accounts exist.
FAILED - One or more rows are returned, showing the presence of anonymous user accounts.

Recommended Solution
To eliminate anonymous user accounts, execute the following commands:
DELETE FROM mysql.user WHERE User = '';
FLUSH PRIVILEGES;
These commands remove all anonymous user accounts and refresh the privilege tables to apply the changes.

9. Blank Passwords Existence

MySQL allows user accounts to exist without a password, especially in default or legacy installations. These accounts pose a critical security risk, as attackers can connect without any authentication. It’s essential to detect and eliminate accounts with empty passwords to secure your database instance.
How to Check if Blank Passwords Exists
Run the following query to identify accounts with blank passwords:

For MariaDB >= 10.4
SELECT CONCAT(QUOTE(user), '@', QUOTE(host)) FROM mysql.global_priv WHERE
    ( user != ''
    AND JSON_CONTAINS(Priv, '"mysql_native_password"', '$.plugin') AND JSON_CONTAINS(Priv, '""', '$.authentication_string')
    AND NOT JSON_CONTAINS(Priv, 'true', '$.account_locked')
    )

For MySQL and MariaDB < 10.4
SELECT CONCAT(QUOTE(user), '\@', QUOTE(host)) FROM mysql.user WHERE ($PASS_COLUMN_NAME = '' OR $PASS_COLUMN_NAME IS NULL)
    AND user != ''
    /*!50501 AND plugin NOT IN ('auth_socket', 'unix_socket', 'win_socket', 'auth_pam_compat') */
    /*!80000 AND account_locked = 'N' AND password_expired = 'N' */

Where the value of <PASS_COLUMN_NAME> is defined according to the scheme:
Check for a new table schema, use the following queries:
- SELECT 1 FROM information_schema.columns WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user' AND COLUMN_NAME = 'password';
- SELECT 1 FROM information_schema.columns WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user' AND COLUMN_NAME = 'authentication_string';

1) If both queries return a result of 1, then <PASS_COLUMN_NAME>=IF(plugin='mysql_native_password', authentication_string, password)
2) If only the second query returned a result of 1, then <PASS_COLUMN_NAME> = authentication_string
3) else <PASS_COLUMN_NAME> = password
Interpreting the Results
PASSED - No rows are returned, indicating no blank passwords.
FAILED - One or more rows are returned, showing users have blank passwords.

Recommended Solution
For each user listed, set a strong password or remove the account if it’s not needed. To set a password, use:
ALTER USER 'username'@'host' IDENTIFIED BY 'StrongPasswordHere';
Or to delete the user:
DROP USER 'username'@'host';

10. Username Used as Password

Using the same value for both username and password is a critical security vulnerability. It makes brute-force and credential stuffing attacks trivially easy. This is often found in legacy or default configurations. It’s essential to detect and eliminate such weak credentials, especially in production environments.
How to Check if Username Used as Password
You can detect whether any user has a password identical to their username with the following one-command checks depending on your MySQL version.

For MySQL 8.0+:
SELECT CONCAT(QUOTE(user), '\@', QUOTE(host))
FROM mysql.user
WHERE user != '' AND (
CAST(<PASS_COLUMN_NAME>  AS BINARY) = CONCAT('*', UPPER(SHA1(UNHEX(SHA1(user))))) OR
CAST(<PASS_COLUMN_NAME>  AS BINARY) = CONCAT('*', UPPER(SHA1(UNHEX(SHA1(UPPER(user))))))
);

For MySQL < 5.7 and MariaDB:
SELECT CONCAT(QUOTE(user), '\@', QUOTE(host))
FROM mysql.user
WHERE user != '' AND (CAST(<PASS_COLUMN_NAME> as Binary) = PASSWORD(user) OR CAST(<PASS_COLUMN_NAME> as Binary) = PASSWORD(UPPER(user)))

Where the value of <PASS_COLUMN_NAME> is defined according to the scheme:
Check for a new table schema, use the following queries:
- SELECT 1 FROM information_schema.columns WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user' AND COLUMN_NAME = 'password';
- SELECT 1 FROM information_schema.columns WHERE TABLE_SCHEMA = 'mysql' AND TABLE_NAME = 'user' AND COLUMN_NAME = 'authentication_string';

1) If both queries return a result of 1, then <PASS_COLUMN_NAME>=IF(plugin='mysql_native_password', authentication_string, password)
2) If only the second query returned a result of 1, then <PASS_COLUMN_NAME> = authentication_string
3) else <PASS_COLUMN_NAME> = password
Interpreting the Results
PASSED - No rows are returned, meaning no users have their username as their password.
FAILED - One or more rows are returned represent insecure user accounts with weak credentials.
Recommended Solution
Update the password for each affected user to a secure, unique value:
ALTER USER 'username'@'host' IDENTIFIED BY 'StrongPasswordHere';
Then apply the changes:
FLUSH PRIVILEGES;

11. Remote Root Login

Allowing the root user to connect remotely poses a serious security risk. If remote root access is enabled, attackers can attempt to brute-force or exploit misconfigured services over the network. Best practice is to allow root access only from localhost or 127.0.0.1 and use separate administrative accounts with limited privileges for remote access.
How to Check if Remote Root Login Allowed
Run the following SQL query:
SELECT CONCAT(QUOTE(user), '@', host) 
FROM mysql.user 
WHERE user = 'root' AND (host != 'localhost' AND host != '127.0.0.1');
Interpreting the Results
PASSED - No rows are returned, meaning root access is restricted to local connections only.
FAILED - One or more rows are returned represent the root user is allowed to log in remotely.
Recommended Solution
To secure your MySQL instance:

  1. Remove remote root access:
DROP USER 'root'@'<remote_host>';
2.Optionally, create a less privileged user for remote administration.

How Releem Helps with Security Checks

Releem is now conducting these security checks across all managed servers to strengthen your MySQL database security! By consistently assessing elements like database configurations, user privileges, and network settings, Releem verifies that your server has not incorrectly enabled or disabled any settings –unintentionally leaving a backdoor open.

For a more detailed overview of securing your MySQL database, please visit our full guide here: Securing Your MySQL Database.

Article by

  • Roman Agabekov
    Founder & CEO
    Roman Agabekov has 17 years of experience managing and optimizing MySQL and MariaDB in high-load environments. He founded Releem to automate routine database management tasks like performance monitoring, tuning, and query optimization. His articles share practical insights to help others maintain and improve their databases.
Keeping an Eye on MySQL with Health Checks
MySQL Performance Tuning Guide
How MySQL Configuration Impacts the Performance of Web Applications
How do you keep high-performance MySQL configuration?

Explore More
Ready to dive in?
Try Releem today for FREE!
Start Free Trial