How to delete a user in MySQL or MariaDB

Deleting unused MySQL or MariaDB accounts closes login paths that applications, administrators, or former team members no longer need. Cleaning up old accounts also reduces the blast radius of leaked credentials and keeps privilege reviews focused on identities that should still exist.

Accounts are defined by a username plus a host matcher, such as 'app'@'localhost' or 'app'@'%', and each user@host pair is a separate login. DROP USER removes the account record and its server-wide or schema-level grants, so the safest workflow is to list the exact matching entries first, review their privileges, and then delete only the host variants you intend to remove.

Deleting the wrong account blocks new connections immediately for that login, so confirm the exact User and Host pair before running the change. Existing sessions are not forcibly disconnected, and replicated environments should apply account changes on the primary so they propagate normally. If the account is used as a DEFINER for views, routines, or events, review those dependencies before removal. Some installations also use socket authentication for root, so sudo mysql or sudo mariadb may be the correct administrative entry point.

1. Open an administrative client session.

   $ mysql --user=root --password
   Enter password:
   Welcome to the MySQL monitor.  Commands end with ; or \g.
   Your MySQL connection id is 13
   Server version: 8.4.8 MySQL Community Server - GPL
   
   mysql>

   Use the mysql or mariadb client command your installation provides. If root uses socket authentication, connect with

   $ sudo mysql

   or

   $ sudo mariadb

   instead.

2. List the exact account entries that match the username you want to remove.

   mysql> SELECT USER, Host FROM mysql.user WHERE USER = 'testuser' ORDER BY Host;
   +----------+-----------+
   | USER     | Host      |
   +----------+-----------+
   | testuser | %         |
   | testuser | localhost |
   +----------+-----------+
   2 ROWS IN SET (0.01 sec)

   On MariaDB 10.4 and newer, mysql.user is a compatibility view over mysql.global_priv, so this query still returns the correct account pairs.

   'testuser'@'localhost' and 'testuser'@'%' are different accounts. Each host variant must be reviewed and dropped explicitly.

3. Review the grants for every 'user'@'host' entry you plan to delete.

   mysql> SHOW GRANTS FOR 'testuser'@'%';
   +-----------------------------------------------------+
   | Grants FOR testuser@%                               |
   +-----------------------------------------------------+
   | GRANT USAGE ON *.* TO `testuser`@`%`                |
   | GRANT SELECT, INSERT ON `appdb`.* TO `testuser`@`%` |
   +-----------------------------------------------------+
   2 ROWS IN SET (0.00 sec)

   Run SHOW GRANTS for each distinct host entry before deletion, and avoid pasting the raw output into shared tickets or chat logs because MariaDB can include authentication details in the grant text.

4. Delete the exact account entries with DROP USER IF EXISTS.

   mysql> DROP USER IF EXISTS 'testuser'@'localhost', 'testuser'@'%';
   Query OK, 0 ROWS affected (0.00 sec)

   IF EXISTS turns a missing account into a warning instead of an error, which is useful when you are cleaning up stale or partly removed logins.

   New authentication attempts fail after this statement succeeds, but sessions that are already connected can continue until they disconnect.

5. Confirm that the account no longer appears in the account list.

   mysql> SELECT USER, Host FROM mysql.user WHERE USER = 'testuser';
   Empty SET (0.01 sec)

   DROP USER updates the grant tables directly, so FLUSH PRIVILEGES is unnecessary unless someone edited privilege tables manually.

6. Exit the administrative session.

   mysql> EXIT;
   Bye

7. Try a fresh login as the deleted account and expect the server to reject it.

   $ mysql --user=testuser --password
   Enter password:
   ERROR 1045 (28000): Access denied for user 'testuser'@'localhost' (using password: YES)