SYSTEMS OPERATIONAL
Hosting

cPanel Remote MySQL: Allow External Database Connections

Getwebup 6 min read

If you're building an app that needs to talk to your WordPress or custom database from outside the server — a local dev environment, a Node.js microservice, a BI tool like Power BI or Metabase — you'll hit a wall fast. By default, MySQL on a cPanel server only accepts connections from localhost. Here's how to open it up safely using cPanel's Remote MySQL feature, and how to fix the errors that show up when it's set up wrong.

Why MySQL Blocks External Connections by Default

Every cPanel account's MySQL user is created with host restrictions baked in. When you add a database user through cPanel, it's implicitly scoped to localhost unless you explicitly grant it access from another IP. This isn't a bug — it's the whole point. An open MySQL port (3306) facing the internet with weak credentials is one of the fastest ways to get a server compromised, so cPanel keeps it closed unless you ask otherwise.

The catch is that plenty of legitimate use cases need remote access: a developer connecting from their laptop with MySQL Workbench, a reporting dashboard pulling live sales data, or an app hosted on a different server that shares this database. cPanel's Remote MySQL tool exists exactly for this.

Step 1: Whitelist Your IP in Remote MySQL

  1. Log in to cPanel and open Remote MySQL (under the Databases section).
  2. In the "Add Access Host" field, enter the IP address that needs to connect.
  3. Click Add Host.

A few things to get right here:

  • Use your actual public IP, not your local network IP (192.168.x.x or 10.x.x.x won't work — those aren't visible outside your router). Search "what is my IP" to confirm it.
  • If your IP changes often (most home broadband connections do), either use a dynamic DNS hostname if cPanel's version supports it, or plan to update the whitelist each time you reconnect after an IP change.
  • Avoid the wildcard % unless you genuinely need it. It allows any IP on the internet to attempt a connection, and combined with a weak database password, that's an open invitation. If you must use it temporarily for testing, remove it the same day.

Step 2: Confirm the Database User Has the Right Privileges

Whitelisting the IP only handles the network layer. The MySQL user still needs privileges on the specific database. In cPanel, go to MySQL Databases, and under "Add User to Database," make sure the user is linked with the privileges the app actually needs (usually SELECT, INSERT, UPDATE, DELETE for an application; avoid granting ALL PRIVILEGES to a remote-access account unless it truly needs admin-level control).

One detail that trips people up: cPanel prefixes both database names and usernames with your account username, like cpaneluser_dbname and cpaneluser_dbuser. Your connection string needs the full prefixed names, not just what you typed when creating them.

Step 3: Connect From Your Application

With the host whitelisted and privileges granted, connect using your server's hostname or IP, port 3306, and the prefixed credentials:

mysql -h your-server-ip -u cpaneluser_dbuser -p cpaneluser_dbname

For an app config (Node.js example with mysql2):

const connection = mysql.createConnection({
  host: 'your-server-ip',
  user: 'cpaneluser_dbuser',
  password: 'your-password',
  database: 'cpaneluser_dbname',
  port: 3306
});

If you're connecting from a GUI tool like MySQL Workbench, TablePlus, or DBeaver, use a "Standard TCP/IP" connection with the same host, port, and credentials — no SSH tunnel needed once the IP is whitelisted (though an SSH tunnel is a more secure alternative, covered below).

Common Errors and How to Fix Them

Error 1130: "Host '...' is not allowed to connect to this MySQL server"

This is the most common one, and it almost always means one of three things:

  • Your IP isn't actually whitelisted yet (typo, or you added the wrong IP).
  • Your IP changed since you added it — check what "my IP" shows right now versus what's in Remote MySQL.
  • You're connecting through a VPN or proxy that presents a different exit IP than expected.

Double-check the exact IP in cPanel's Remote MySQL list against your current public IP, and re-add it if they don't match.

Error 2003: "Can't connect to MySQL server on '...' (10060/111)"

This means the connection isn't even reaching MySQL — it's being blocked before authentication. Usual causes:

  • Port 3306 is blocked by the server's firewall (CSF, iptables, or a network-level firewall at your hosting provider) even though it's whitelisted in cPanel. Remote MySQL and the server firewall are two separate layers — both need to allow the connection.
  • Your own network or ISP is blocking outbound connections on port 3306, which some corporate and public networks do.

If you're on a Getwebup VPS with CSF running, you'll need port 3306 open in CSF for the specific IP as well, not just in Remote MySQL.

It Connects, But Queries Are Painfully Slow

Remote connections cross the public internet, so latency is naturally higher than a query running on localhost. If it's unusably slow, check whether your app is making many small sequential queries instead of batching them — that overhead gets multiplied by network round-trip time when the connection isn't local.

Security: Do This Before You Walk Away

Opening a database port to the internet is a real risk if you skip the basics. Treat these as non-negotiable, not optional:

PracticeWhy It Matters
Whitelist specific IPs, never % in productionLimits who can even attempt a login, regardless of password strength
Use a strong, unique password for the remote-access DB userBots scan for open 3306 ports constantly and try default/weak credentials
Grant only the privileges the app needsLimits damage if credentials ever leak
Consider an SSH tunnel instead of opening 3306 publiclyTraffic stays encrypted and the port stays closed to the outside world
Remove the whitelist entry when you're done testingTemporary access has a way of becoming permanent if you forget about it

The SSH tunnel option is worth calling out: instead of whitelisting your IP in Remote MySQL, you can SSH into the server with local port forwarding (ssh -L 3306:localhost:3306 user@your-server) and connect your local tool to localhost:3306 as if MySQL were running on your own machine. It's a few extra seconds to set up and it means port 3306 never has to be exposed publicly at all.

Prevention Checklist

  • Only whitelist IPs you actually control and trust.
  • Re-check the whitelist periodically — stale entries from long-gone contractors or old office IPs are an easy thing to forget.
  • Pair Remote MySQL with server-firewall rules (CSF/iptables) rather than relying on one layer alone.
  • Default to SSH tunneling for personal/dev access; reserve direct Remote MySQL whitelisting for apps that genuinely can't tunnel.

Frequently asked questions

Do I need to open port 3306 in the server firewall too, or is cPanel's Remote MySQL enough?

Both. Remote MySQL controls MySQL's own access list, but if a firewall like CSF or iptables is running on the server, it can still block port 3306 independently. You need the IP allowed in both places.

Is it safe to use the wildcard % in Remote MySQL?

Not for production use. The wildcard allows any IP address to attempt a connection, so if the database password is ever guessed or leaked, there's nothing stopping a direct login from anywhere. Whitelist specific IPs instead, or use an SSH tunnel.

Why does my connection work from one location but not another?

Remote MySQL whitelists a specific IP address. If you're connecting from a different network - home vs office, or after your ISP assigns a new dynamic IP - the new IP won't be whitelisted until you add it in cPanel.

What's the difference between using Remote MySQL and an SSH tunnel?

Remote MySQL opens port 3306 to specific external IPs directly. An SSH tunnel forwards a local port through an encrypted SSH connection instead, so port 3306 never has to be exposed to the public internet at all. The tunnel is more secure but requires SSH access and a bit more setup per connection.

#cpanel #remote-mysql #mysql #database #external-connection #server-security

Keep reading

Chat with Support