Sometimes you need to connect to your MySQL database from outside the server — to run reports from a desktop client like Sequel Pro / DBeaver / MySQL Workbench, to integrate with an external app, or to pull data into a local development environment. This article covers the options on shared hosting, VPS, and dedicated servers.

Quick summary: shared hosting blocks direct remote MySQL for security — use SSH tunneling instead (works on Medium and Professional plans). VPS and dedicated servers can enable direct remote MySQL with proper firewall restrictions.

Why direct remote MySQL is blocked on shared hosting

Shared hosting servers run hundreds of cPanel accounts on the same MySQL daemon. If we exposed port 3306 (MySQL) to the internet, every client database would be reachable from anywhere — making the server a high-value target for brute-force attacks and credential leaks. A single compromised credential on one client's site would give an attacker network-level access to attempt logins on every other database on the server.

Instead, we keep MySQL bound to localhost. To connect from outside, you tunnel the connection through SSH, which authenticates as your cPanel user before any MySQL traffic flows.

SSH tunneling on shared hosting (Medium and Professional)

SSH is available on Medium and Professional plans (it's disabled by default on new accounts — open a ticket to enable). Once SSH is enabled, you can tunnel MySQL through it.

From macOS or Linux

ssh -L 3307:localhost:3306 -p 22 [email protected] -N

This forwards port 3307 on your local machine to port 3306 on the server, through your authenticated SSH session. Leave the terminal open while you work.

Then in your MySQL client:

  • Host: 127.0.0.1 (the tunnel endpoint)
  • Port: 3307
  • Username / password: your MySQL user credentials (created in cPanel MySQL Databases)
  • Database: the database name (e.g. yourcpuser_wp1)

From Windows (PuTTY)

  1. Open PuTTY, enter your server's hostname or IP, port 22, set up your SSH key as usual.
  2. In the left tree, expand Connection → SSH → Tunnels.
  3. Source port: 3307. Destination: localhost:3306. Click Add.
  4. Save the session (back at Session in the tree, give it a name and click Save).
  5. Click Open to connect. Leave PuTTY running while you use the tunnel.

Most desktop MySQL clients (DBeaver, MySQL Workbench, TablePlus, etc.) also have SSH tunnel built in — configure the SSH connection details in the client itself and skip the standalone tunnel.

DBeaver / TablePlus / MySQL Workbench — built-in SSH tunnel

In the connection settings, enable SSH tunnel and provide:

  • SSH host: yourdomain.com or yourserver.canspace.ca
  • SSH port: 22
  • SSH user: your cPanel username
  • Authentication: SSH key (preferred) or password
  • MySQL host: localhost
  • MySQL port: 3306
  • Database: your database name
  • MySQL user / password: your MySQL credentials

Direct remote MySQL on VPS / dedicated servers

On a self-managed VPS or dedicated server, you can open MySQL to the public — but do it carefully.

1. Allow the remote IP in cPanel

cPanel maintains a per-account allowlist for remote MySQL access:

  1. cPanel home → Remote MySQL (under the Databases section).
  2. Add the IP address (or netblock) you'll connect from. Use a single IP if possible. Wildcards work but are insecure.

2. Open the firewall

cPanel's CSF firewall blocks port 3306 by default. Add the remote IP to csf.allow with port restriction so only that IP can hit MySQL:

csf -a YOUR.REMOTE.IP "Remote MySQL access"

Or via WHM → ConfigServer Security & FirewallQuick Allow.

3. Connect

From your remote machine, connect with the server's public IP or hostname:

mysql -h yourdomain.com -P 3306 -u yourcpuser_dbuser -p yourcpuser_dbname

Or use any GUI client — same details, no SSH tunnel needed.

Restrict to specific IPs only. Wildcards (% in cPanel's Remote MySQL allowlist, or 0.0.0.0/0 in CSF) leave MySQL exposed to the entire internet. If your remote IP is dynamic, prefer SSH tunneling over wildcard allowlisting.

Security recommendations

  • Use SSH tunneling whenever possible. Even on a VPS where you could open MySQL directly, tunneling is more secure: SSH authenticates first, encrypts the channel, and no one can scan port 3306 from outside.
  • Strong, unique MySQL passwords. Don't reuse the password across multiple databases.
  • Limit user privileges. A user that only reads data shouldn't have DROP TABLE permission. Create separate users with minimal grants for different roles.
  • Don't store credentials in client-side code. Especially for connections from desktop apps — use connection profiles in your MySQL client and rely on its own credential storage.

Related articles

Still stuck? Open a support ticket

Var dette svaret til hjelp? 0 brukere syntes dette svaret var til hjelp (0 Stemmer)

Mest populære

Getting started with your VPS or dedicated server

Welcome! This article is a quick orientation for new VPS and dedicated server clients - what you...
Logging in to WHM on your VPS or dedicated server

WHM (WebHost Manager) is the server-wide control panel for your VPS or dedicated server. It's...
Creating a cPanel account on your VPS or dedicated server

Each website you host on your server needs its own cPanel account. This article walks through...
Accessing your VPS or dedicated server via SSH

SSH (Secure Shell) gives you command-line access to your server as the root user - useful for...
Requesting a reboot or reporting an issue with your server

If your server is unresponsive, running slowly, or you need it rebooted for any reason - don't...