LiveChat 
Support 
How to Connect to a Remote MySQL Database: A Secure, Step-by-Step Guide
When your application, analytics tool, or local development environment lives on one machine and your database lives on another, you need to connect to a remote MySQL database across the network. By default, most managed servers lock MySQL down to local connections only, so remote access requires three deliberate steps: whitelisting the connecting IP, granting the database user remote privileges, and ensuring the firewall permits the MySQL port. This guide walks through each step using the standard cPanel “Remote MySQL” workflow that applies to virtually any host running MySQL or MariaDB.
Key Takeaways
• To connect to a remote MySQL database, you must whitelist your IP as an Access Host, grant the user remote privileges, and open port 3306 in the firewall.
• The cPanel Remote MySQL feature handles IP whitelisting through a simple interface—no manual config edits required.
• Use `mysql -h host -u user -p` from the command line, or a connection string from your application code.
• Never grant `’user’@’%’` (any host) on a production database. Restrict to a specific static IP.
• The safest method is an SSH tunnel, which avoids exposing port 3306 to the internet entirely.
Why is remote MySQL access disabled by default?
MySQL and MariaDB ship configured to bind to localhost (`127.0.0.1`) as a security baseline. This means the database only accepts connections originating from the same server. The rationale is simple: an exposed database port is one of the most aggressively scanned and attacked surfaces on the public internet. Bots continuously probe port 3306 looking for weak credentials and misconfigured permissions.
Because of this, enabling remote access is an opt-in, deliberate action. You are intentionally telling the server, “trust connections from this specific source.” The more precisely you define that source, the safer your database remains.
What do you need before connecting?
Before you can connect to a remote MySQL database, gather the following:
- The server hostname or IP address of the machine hosting MySQL.
- A database username and password with appropriate privileges.
- The database name you intend to access.
- Your own connecting IP address (the public IP of the machine you’re connecting *from*). You can find this by visiting any “what is my IP” service or running `curl ifconfig.me`.
- Confirmation that port 3306 (the default MySQL port) is reachable.
How do you whitelist your IP with cPanel Remote MySQL?
The Remote MySQL tool in cPanel is the cleanest way to authorize an external IP. It writes the access host into the database configuration so the server will accept your connection.
- Log in to cPanel and open Remote MySQL (under the Databases section).
- In the Add Access Host field, enter your public IP address—for example, `203.0.113.45`.
- Click Add Host.
That IP is now an authorized Access Host. You can add multiple hosts and remove them later. Avoid entering `%` (a wildcard meaning “any host”), which we’ll explain shortly.
A critical security note most tutorials skip: opening MySQL port 3306 to the entire internet is genuinely risky. Even with a strong password, an exposed port invites relentless brute-force traffic and exploitation of any future MySQL vulnerability. The professional approach is to prefer an SSH tunnel (which exposes *no* database port publicly) or, at minimum, whitelist a single static IP. Never grant `’user’@’%’` on a production database—doing so combines an open port with a permission rule that trusts the whole world, which is the exact recipe attackers hope to find.
How do you grant a database user remote privileges?
Whitelisting the IP is only half the equation. The MySQL user account must also be permitted to connect from your remote host. MySQL identifies users as a combination of *username* and *host*, so `’appuser’@’localhost’` and `’appuser’@’203.0.113.45’` are treated as distinct accounts.
Connect to MySQL on the server (locally or via SSH) and run a `GRANT` statement that names your specific IP:
“`sql — Grant privileges to a user connecting from a specific IP (recommended) GRANT ALL PRIVILEGES ON mydatabase.* TO ‘appuser’@’203.0.113.45’ IDENTIFIED BY ‘a-strong-password’;
FLUSH PRIVILEGES; “`
If you must allow a small range and your provider supports it, you can use a host pattern. But avoid the wildcard host on production:
“`sql — AVOID on production: ‘%’ trusts connections from ANY IP GRANT ALL PRIVILEGES ON mydatabase.* TO ‘appuser’@’%’; “`
The `FLUSH PRIVILEGES` command reloads the grant tables so your changes take effect immediately. To verify which hosts a user is authorized from, run:
“`sql SELECT user, host FROM mysql.user WHERE user = ‘appuser’; “`
How do you connect from the command line?
With the IP whitelisted and privileges granted, you can connect to a remote MySQL database using the standard `mysql` client. The `-h` flag specifies the remote host:
“`bash mysql -h db.example.com -u appuser -p “`
You’ll be prompted for the password. To specify a non-default port or the database name directly:
“`bash mysql -h db.example.com -P 3306 -u appuser -p mydatabase “`
If the connection hangs or times out, the most common cause is the firewall blocking port 3306—not a credentials problem. A wrong password returns an immediate “Access denied” error, whereas a blocked port produces a timeout.
How do you connect from an application or connection string?
Most applications connect using a connection string or a set of configuration parameters. The structure is consistent across languages:
“`text mysql://appuser:[email protected]:3306/mydatabase “`
A few examples in common stacks:
“`python
import pymysql conn = pymysql.connect( host=”db.example.com”, port=3306, user=”appuser”, password=”a-strong-password”, database=”mydatabase”, ssl={“ssl”: {}} # enable TLS ) “`
“`php // PHP (PDO) $pdo = new PDO( “mysql:host=db.example.com;port=3306;dbname=mydatabase”, “appuser”, “a-strong-password” ); “`
Notice the Python example enables SSL/TLS. Encrypting the connection protects your credentials and data in transit—essential whenever the connection crosses the public internet.
Comparing remote connection methods
Here is how the common approaches compare on security and effort:
| Method | How It Works | Port Exposure | Security | Best For |
|---|---|---|---|---|
| Direct + IP whitelist | Open 3306 to one static IP | Limited to whitelisted IPs | Moderate | Fixed-IP servers/offices |
| Direct + `%` wildcard | Open 3306 to all hosts | Fully exposed | Poor (avoid) | Never on production |
| SSL/TLS connection | Encrypt the direct connection | Same as direct | Good | Sensitive data in transit |
| SSH tunnel | Forward MySQL over an SSH session | None (no public DB port) | Excellent | The recommended default |
How do you use an SSH tunnel as a safer alternative?
An SSH tunnel is the most secure way to connect to a remote MySQL database. Instead of opening port 3306 to the internet, you forward the database connection through an encrypted SSH session. The database stays bound to localhost on the server, and no MySQL port is ever exposed publicly.
Create the tunnel from your local machine:
“`bash ssh -L 3307:127.0.0.1:3306 [email protected] “`
This forwards your local port 3307 to port 3306 on the remote server’s localhost. While that SSH session is open, connect as if the database were running locally:
“`bash mysql -h 127.0.0.1 -P 3307 -u appuser -p mydatabase “`
Because traffic rides inside SSH, it’s encrypted end to end, and attackers scanning port 3306 on your server find nothing. This is the approach we recommend for any production workload.
Secure remote database access with DarazHost
Setting up remote MySQL access safely is far easier on hosting built for it. DarazHost plans include cPanel with the Remote MySQL feature, so whitelisting a specific connecting IP takes seconds—no manual config edits. Every plan also provides SSH access for secure tunneling, giving you the encrypted, zero-exposure connection method described above, plus proper firewall control over which ports are reachable. The result is straightforward, secure remote database access without leaving port 3306 open to the world. Our team offers 24/7 support to help you configure access hosts, grants, and tunnels correctly the first time.
How do you connect from MySQL Workbench or DBeaver?
GUI tools make remote connections approachable and both support SSH tunneling natively.
MySQL Workbench:
- Create a new connection.
- Set Connection Method to *Standard TCP/IP over SSH* for a tunnel, or *Standard (TCP/IP)* for direct.
- Enter the SSH host, the MySQL Hostname (`127.0.0.1` when tunneling), port `3306`, username, and password.
DBeaver:
- Create a new MySQL connection.
- On the Main tab, enter host, port, database, and credentials.
- On the SSH tab, tick Use SSH Tunnel and supply your SSH host and key or password.
Both tools let you enable SSL under their security or SSL settings—use it whenever you connect directly rather than through a tunnel.
Security best practices summary
- Restrict to specific IPs, never `%`, on production databases.
- Prefer an SSH tunnel so no database port is exposed.
- Enable SSL/TLS for any direct connection across the internet.
- Grant least privilege—give the user only the rights it needs, not `ALL PRIVILEGES`, where possible.
- Use strong, unique passwords and rotate them periodically.
- Remove access hosts you no longer use from Remote MySQL.
Frequently Asked Questions
Why does my remote MySQL connection time out? A timeout almost always means the firewall is blocking port 3306 or the IP isn’t whitelisted as an Access Host. A credentials issue produces an immediate “Access denied” message instead. Confirm the port is open and your IP is added in Remote MySQL.
What port does MySQL use for remote connections? MySQL uses port 3306 by default. MariaDB uses the same port. If your provider runs MySQL on a custom port, specify it with the `-P` flag or in your connection string.
Is it safe to grant `’user’@’%’` access? No. The `%` wildcard allows connections from any host on the internet, dramatically increasing your attack surface. Always restrict the grant to a specific static IP, or better, use an SSH tunnel and keep the user bound to localhost.
Do I need a static IP to connect remotely? A static IP makes whitelisting reliable, since dynamic IPs change and break the Access Host rule. If your IP changes frequently, an SSH tunnel is the better solution because it authenticates by SSH credentials rather than by IP address.
How do I encrypt a remote MySQL connection? Either route the connection through an SSH tunnel (encrypted by default) or enable SSL/TLS in your client. Most drivers accept an `ssl` parameter, and GUI tools like Workbench and DBeaver have a dedicated SSL configuration tab.
