I've just set up WordPress on a public site hosted by Dreamhost. I did this by unzipping the relevant files on my machine, setting up the MySQL connection details, SCP-ing the WordPress directory from my machine to the remote site and then browsing to the install page. All very nice and smooth. However, I'm worried about two things:
i) The MySQL account I put in the configuration file has fairly wide-ranging privileges (create and drop tables, users etc). Now that the site tables have been created and the installation is complete, I'd like to restrict that account so that it can only do the things WordPress needs to be able to do. What is the minimal set of privileges WordPress requires?
ii) For future reference: is there a way to set up WordPress on a remotely-hosted site that does *not* involve exposing the install process on the live internet for the thirty seconds or so it takes to click through it after it's finished uploading? I know it's unlikely that an attacker would have jumped in during that window of vulnerability, but it's still a window of vulnerability - during that time, anyone browsing to the site can potentially get an admin password for a web application that has access to a highly-privileged MySQL account. Can this be avoided?