WordPress MySQL Permissions

Having security in mind, I had some concerns granting all privileges to the WordPress MySQL user (see the instructions from WordPress):

GRANT ALL PRIVILEGES ON databasename.* TO "wordpressusername" [..]

After all, with these privileges the WordPress user would be able to access other databases on this server and do whatever he likes. WordPress has become very popular and is a known target for exploits and the like (as a quick search on milw0rm.com will confirm). I didn’t like that idea.

So here is what I did:

GRANT SELECT, INSERT, UPDATE, CREATE, DELETE ON wordpress.* TO 'wordpress' IDENTIFIED BY 'mypass';

This works fine so far and I don’t think my WordPress installation needs more privileges. Note that the ALTER and DROP statements are missing from my list, which could interfere with future updates. But we’ll see…

Comments

Oh no, new comments are currently disabled.
If you want to get in touch with me, please do so via e-mail: