When creating new users and granting privileges, it is often easy to grant all privileges on a database or all privileges globally, but this should be avoided. When granting privileges, try to grant the minimum necessary for a user to perform their assigned tasks. Grant the privileges on a database by database basis, and avoid using a hostname of %. If a user needs to connect within a 192.168.1.0 network, grant the privileges to 'username'@'192.168.1.%'. Try to be a restrictive as possible, and grant additional privileges only as they are needed.
For example, when creating a new user for the 'fictional' database that needs to query and manipulate data, use the following:
mysql> GRANT SELECT, INSERT, UPDATE, DELETE ON fictional.* TO 'bob'@'192.168.1.%';
The root user does not need to be named 'root'. Most attackers will obviously try to compromise the 'root' user account and will be stopped if there is no 'root' user. To change the name of the root user account, use the following commands:
Enter password: *****
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 4.1.9-nt
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> USE mysql;
mysql> UPDATE user SET user='bob' WHERE user='root';
Query OK, 1 row affected (0.19 sec)
Rows matched: 1 Changed: 1 Warnings: 0
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.23 sec)