WordPress Database Permissions in phpMyAdmin | Guide

Table of Contents

Why Restrict Database Permissions?
Recommended WordPress Database Permissions
Change Permissions in phpMyAdmin
Frequently Asked Questions
Related Tutorials

Restricting your WordPress database user to only the permissions it needs reduces the damage a SQL injection attack can cause. By default, many hosting providers grant ALL PRIVILEGES to the database user. Limiting permissions to the minimum required for WordPress operation means that even if an attacker exploits a SQL injection vulnerability, they can’t execute dangerous operations like creating new users, granting privileges, or dropping the entire database. This is a standard hardening step that complements WP Ghost’s SQL injection firewall protection.

Why Restrict Database Permissions?

WordPress only needs a specific set of database operations to function. Granting ALL PRIVILEGES gives the database user permissions it never uses, like GRANT, FILE, PROCESS, and SUPER. If an attacker exploits a SQL injection vulnerability in a plugin, these extra permissions allow them to escalate the attack: exporting data, creating admin accounts at the database level, or destroying the entire database. Removing unused permissions limits the blast radius. WP Ghost’s 8G Firewall blocks SQL injection attempts at the server level, but restricting database permissions adds a safety net in case an injection bypasses the firewall through an unpatched vulnerability.

Recommended WordPress Database Permissions

WordPress needs only these eight database permissions for normal operation, including updates and plugin installations:

SELECT – Read data from tables (loading posts, pages, settings).
INSERT – Add new rows (creating posts, comments, options).
UPDATE – Modify existing rows (editing posts, changing settings).
DELETE – Remove rows (deleting posts, cleaning transients).
ALTER – Modify table structure (required for WordPress and plugin updates).
CREATE – Create new tables (required when installing plugins that add database tables).
DROP – Remove tables (required when uninstalling plugins that remove their tables).
INDEX – Create and manage table indexes (required for some plugin optimizations).

All other permissions (GRANT, FILE, PROCESS, SUPER, LOCK TABLES, REFERENCES, CREATE VIEW, etc.) can safely be revoked for the WordPress database user.

Change Permissions in phpMyAdmin

Log in to phpMyAdmin (usually accessible from your hosting control panel).
Click the Home icon to see all databases.
Find your WordPress database and click Check Privileges.

Click Edit Privileges next to your WordPress database user.

Uncheck all permissions first, then check only SELECT, INSERT, UPDATE, DELETE, ALTER, CREATE, DROP, and INDEX.
Click Go to save the changes.

Test your site after changing permissions. Visit your site, log in to the admin dashboard, and test key functionality (creating a post, uploading media, saving settings). If anything breaks, temporarily grant ALL PRIVILEGES again and investigate which specific permission is needed. Some hosting environments or plugins may require additional permissions like LOCK TABLES or CREATE TEMPORARY TABLES.

Not all hosting providers allow this. On shared hosting, the database user and permissions may be managed by the hosting provider and not editable through phpMyAdmin. Check with your hosting provider if the privileges page is restricted or grayed out. Managed WordPress hosts often handle database security at the server level.

Frequently Asked Questions

How does this relate to WP Ghost?

WP Ghost’s 8G Firewall blocks SQL injection attempts at the request level before they reach your database. Restricting database permissions is a defense-in-depth measure: if a SQL injection bypasses the firewall (for example, through an unpatched plugin vulnerability), limited permissions reduce what the attacker can do. Both protections work together for the strongest defense.

Will this break WordPress updates?

No, as long as ALTER, CREATE, DROP, and INDEX permissions are granted. WordPress core updates, plugin updates, and theme updates use these permissions to modify database table structures. Without ALTER, updates that change table schemas will fail.

Does WooCommerce need additional permissions?

The eight permissions listed above are sufficient for WooCommerce in most configurations. WooCommerce uses SELECT, INSERT, UPDATE, DELETE for orders and products, and ALTER and CREATE during updates that add new tables or columns. If you experience issues with WooCommerce after restricting permissions, check if your WooCommerce extensions require LOCK TABLES or CREATE TEMPORARY TABLES.

Can I change permissions from cPanel instead of phpMyAdmin?

Yes. In cPanel, go to MySQL Databases > Current Databases, find your database, and click the user link under “Privileged Users.” You can modify permissions from there. The cPanel interface is often simpler than phpMyAdmin for this task.

Does WP Ghost modify WordPress core files?

No. Database permission changes are made at the MySQL level through phpMyAdmin or cPanel. WP Ghost uses rewrite rules and WordPress hooks for security. Neither modifies core files.

Database and server-level security:

Change WordPress Paths – Reduce attack surface by changing default paths.
WP Ghost Constants Reference – wp-config.php constants including file permissions.
Move WordPress from HTTP to HTTPS – Another foundational security step.
Hacker Bot Attack Types – SQL injection and other attacks WP Ghost prevents.