The command line flag to mysqld that tells it to start without network protocols enabled. At that point you can only connect from a process local to that server (https://dev.mysql.com/doc/refman/8.0/en/server-system-variab...), so this attack vector is closed. But with poorly secured SSH/Apache/PHP/WordPress on the box it’s still trivial to get pwn’ed...
