Every now and then you see a site that has been hacked due to lack of security. I make it a practice to update my pass and secure my configuration files in a directory out of www/. I change my passwords every 60days on the database and on my account in wordpress, I use random generated passwords to provide a little extra security. Im not saying this will prevent my site from being hacked, but it helps.

Every 60 days I add a user on the database that has the only needed privileges for the application to run. I show the current privileges and change user and password and add the new user. I record the old one in case I need to fail back. I also have changed the default user “root” to  another username, and I have deleted the testdb that is installed when you setup mysql initially.

I use the CLI to do all my mysql work but you can easily do this yourself using phpmyadmin, make sure the user you make the changes with has GRANT OPTION.

1) SHOW GRANTS FOR ‘<username> ‘@’<host>’;

GRANT USAGE ON *.* TO ‘olduser’@'%’ IDENTIFIED BY PASSWORD ‘*BCF0C51505BF07C0AC46B9AEBB7F9726EB4677B8′;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE ON `databasename`.* TO ‘olduser’@'localhost’;

2) Now you need to change the use and password from GRANT. You have 4 otptions for setting password by calling the password function or by using plain text. Using plain text will put the plain text in the binary log!!!

Option A: Generate the password hash using mysql

SELECT PASSWORD(‘somepassword’);

this will out put
——————————————-+
| password(‘somepassword’)                  |
+——————————————-+
| *DAABDB4081CCE333168409A6DB119E18D8EAA073 |
+——————————————-+
1 row in set (0.00 sec)
Now that we have the has of the password “somepassword” we can use that to update the password when applying grants.

GRANT USAGE ON *.* TO ‘newuser’@'%’ IDENTIFIED BY PASSWORD ‘*DAABDB4081CCE333168409A6DB119E18D8EAA073′;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE ON `databasename`.* TO ‘newuser’@'localhost’;

Option B: You can use the password function to update the password during grant option.

GRANT USAGE ON *.* TO ‘newuser’@'%’ IDENTIFIED BY PASSWORD(‘somepassword’);
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE ON `databasename`.* TO ‘newuser’@'localhost’;

Option C: You can set the password by removing the password from the old grant.

GRANT USAGE ON *.* TO ‘newuser’@'%’ IDENTIFIED BY ‘somepassword’;
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE ON `databasename`.* TO ‘newuser’@'localhost’;

Option D: I do not reccomend this as it is not a proper way to update grants for a user, but you can update the mysql.user table to change the user and passwords.

UPDATE mysql.user set user = ‘newuser’, password = PASSWORD(‘newpassword’) where user = ‘olduser’;

This is not a proper way of updateing user but you can use it as long as you have rights to the mysql database.

The next step for any of these changes is to FLUSH PRIVILEGES: This flushes the new user to disk and refreshes the memory.

The final step will be to update the wp-config.php file in your www directory. In your www directory open your wp-config.php file with a text editor I use VIM for mine and look for these lines:
/** MySQL database username */
define(‘DB_USER’, ‘olduser’);
/** MySQL database password */
define(‘DB_PASSWORD’, ‘oldpassword’);
Update the user and password with your new information.

To try to secure my website I have changed my wp-config.php adn took the above lines out and put them in a seperate file and moved it to a directory outside of the www directory. I have my own server so I can put it anywhere as long as I know the absolute path. I have also encrypted the file using gpg which I will talk about in the near future. Once I make all the password and user updates I remove the old user from mysql and flush privileges once again.

Hopefully this article will help those who want to try to secure their site more effeciently. Please let me know if you have any questions or suggestions to secure a site.