Nothing should be assumed, and ssh is often not the only access to [email protected] on mysql, bad implementations of webmin and phpmyadmin, i.e. the default ones, and many can’t help themselves from installing them that way anyway, also allow such access.
I hope we all know to set up and use public key ssh access and turn off ssh password logins, build a strong firewall and IDS suite.
Many argue that http should be denied to everyone simple because there are probably unknown weaknesses hidden in your Document Root, but that also complicates any “user portals” in there.
Adding a password to the [email protected] mysql account is just being a wise virgin. For ease add it after everything else mysql wise is working.
And it’s other access routes that I was really worried about.
In this world of security awareness I’d love to see the next release include things like public key ssh access, https access by default locked to a given up, that kinda stuff. IDS included would be nice.