There are few workflow interruptions more frustrating than setting up a local database client—be it DBeaver, MySQL Workbench, or DataGrip—only to be rejected by the server. You have the correct username, the correct password, and the correct hostname, yet the connection fails with standard errors like ERROR 1045 (28000): Access denied or Connection refused.
If you are hosting on Hostinger, this is a distinct, security-focused architectural feature, not a bug. By default, Hostinger (and most shared hosting providers) configures the MySQL daemon to reject all TCP/IP connections originating from outside the localhost environment.
This guide provides the technical steps to bypass this restriction securely via hPanel and explains the networking logic governing these rejections.
The Root Cause: MySQL Bind-Address and Firewall Rules
To understand why your connection is failing, we must look at the MySQL server configuration file (my.cnf) and the network firewall.
In a standard secure installation, the bind-address directive is often set to 127.0.0.1. This forces the MySQL service to listen only on the loopback interface. Even if you open port 3306 on the firewall, the database process literally cannot see traffic coming from your external IP address.
Hostinger manages this via a dual-layer security model:
- Network Firewall: Port 3306 is closed to the public internet by default to prevent brute-force attacks.
- Access Control Lists (ACL): MySQL user privileges are often scoped. A user defined as
'user'@'localhost'is technically different from'user'@'%'(wildcard) or'user'@'192.168.1.5'.
When you try to connect from your home office or a remote backend server, the handshake is dropped immediately because your specific IP address hasn't been explicitly whitelisted in the firewall to pass traffic to the database cluster.
Solution 1: Whitelisting via hPanel (The Direct Fix)
The primary method to resolve this on Hostinger is utilizing the "Remote MySQL" tool in hPanel. This feature effectively modifies the firewall rules and updates the MySQL user host privileges to allow external traffic from specific sources.
Step 1: Identify Your Public IP
You need your current public IPv4 address. Do not rely on internal network IPs (like 192.168.x.x).
Run this command in your local terminal to get your accurate external IP:
# MacOS / Linux
curl ifconfig.me
# Windows PowerShell
(Invoke-WebRequest -uri "http://ifconfig.me/ip").Content
Step 2: Configure hPanel
- Log in to your Hostinger account and navigate to hPanel.
- Go to the Databases section in the sidebar.
- Click on Remote MySQL. Note: This is separate from the standard "Management" tab.
Step 3: Add the Access Rule
In the "Create Remote MySQL connection" form, you will see fields for Host (IP) and Database.
- Host (IP): Paste the IP address you retrieved in Step 1.
- Database: Select the specific database you need to access.
- Create: Click the button to apply the rule.
Hostinger creates a specific grant. Under the hood, it executes logic similar to this SQL command:
-- Conceptual logic executed by Hostinger backend
GRANT ALL PRIVILEGES ON target_database.* TO 'user'@'your_public_ip';
FLUSH PRIVILEGES;
Once the list updates, retry your connection in DBeaver or Workbench. It should succeed immediately.
Solution 2: SSH Tunneling (The Secure "Pro" Fix)
Whitelisting IPs is tedious if you have a dynamic IP address (which most residential ISPs assign). A more robust, engineering-grade solution is SSH Tunneling (Port Forwarding).
This method creates an encrypted tunnel between your local machine and the Hostinger server. You connect your database client to your local machine, and SSH forwards the traffic to the server's localhost. This bypasses the need for "Remote MySQL" whitelisting entirely because the traffic appears to come from the server itself.
The SSH Command
Run the following command in your terminal. You will need your SSH credentials (IP, username, and port, usually 65002 for Hostinger shared plans).
# Syntax: ssh -L local_port:db_host:remote_port ssh_user@ssh_host -p ssh_port
ssh -L 3307:127.0.0.1:3306 u123456789@123.123.123.123 -p 65002
Breakdown of flags:
-L 3307:127.0.0.1:3306: Listens on your local port3307. Forwards to127.0.0.1(the server's localhost) on port3306.-p 65002: Hostinger uses a non-standard SSH port.
Configuring the Client
In DBeaver or Workbench, configure the connection as follows:
- Host:
127.0.0.1(Localhost) - Port:
3307(The forwarded port) - Username: Your database username
- Password: Your database password
This is strictly safer than whitelisting because port 3306 remains closed to the public internet.
Common Pitfalls and Edge Cases
Even with the steps above, connection issues can persist. Here are the technical nuances to check.
1. The % Wildcard Risk
In the Remote MySQL section, you can technically enter % as the IP address to allow any IP to connect.
Do not do this.
Using the wildcard exposes your database port to the entire internet. Bots constantly scan for open 3306 ports to attempt brute-force attacks. Only whitelist specific IPs or use the SSH tunnel method.
2. Incorrect Hostname
When not using SSH tunneling, do not use localhost as the hostname in your SQL client. You must use the External Server IP or the domain name provided in the "MySQL Databases" section of hPanel.
3. Dynamic IP Rotation
If your connection works today but fails tomorrow, your ISP has likely rotated your dynamic IP.
- Fix: Re-check
curl ifconfig.meand update the Remote MySQL list. - Better Fix: Switch to the SSH Tunneling method described in Solution 2.
4. User Privilege Mismatch
Sometimes, creating a user in hPanel allows access for localhost but fails to propagate the grant for external IPs immediately. If you have CLI access, you can verify grants:
SHOW GRANTS FOR 'current_user';
Ensure you see a line granting access to 'user'@'your_ip' or 'user'@'%' (if utilizing wildcards).
Summary
The "Access Denied" error on Hostinger is a firewall and privilege enforcement mechanism. While it adds friction to the development workflow, it protects your data from automated attacks.
For a quick fix, use the Remote MySQL tool in hPanel to whitelist your specific IP. for a long-term, secure workflow—especially for teams or those with dynamic IPs—configure an SSH Tunnel to forward local traffic directly to the database socket.