Re: [tlug] Home LAMP webserver update- passwords, users, MySQL, phpmyadmin, Wordpress, oh my

[Raymond Wan <rwan.kyoto@example.com>]

On Fri, Jun 26, 2015 at 3:20 PM, Kevin Sullivan <csr-kts@example.com> wrote:
> -Installing MySQL, it wants a user, password, and a database name, user
> password
>
> -Installing phpmyadmin, it also wants user, password, database name
>
> -Wordpress wants mysql superuser name and password, then apparently
> another wordpress user name, and pw....
>
> What reasonably secure way to handle this myriad of users? Can/should I
> stick to just one user/pw for each component? deal with remembering
> different users/pws? What makes sense here for a
> single-user-administered website serving (for now) one Wordpress
> installation?


I have very little experience with WordPress and a bit more (but not
much) of Joomla.

MySQL will have to have a root user.  Some people create a separate
database administrator account with less access than root to do most
tasks.

Whichever you choose (a root or DBA account), phpmyadmin will need
access to it.  And, unless you want your users to be issuing SQL
commands (probably not), you should probably ensure access is only via
localhost, given your "single-user-administered" system.

As for WordPress, it needs access to the database.  You can give it
the same DBA password or create a separate one with even less access
than the DBA.  But across WordPress installations, I think you can
just change the underlying database for each user, but keep the
account to be the same?

Indeed, at each level you mentioned, you can create another account
such that each one has less (limited) access compared to the one above
it.  But, I'm not sure if that's needed.  You probably want to invest
your time in keeping WordPress up-to-date by applying the latest
patches, instead...  And/or putting yourself on the security mailing
list of WordPress to keep you informed of important updates.

All IMHO, of course...

Ray