[rotating the secret](#example-rotate-a-secret).
Go ahead and write a blog post or two and install a WordPress plugin or
theme to verify that WordPress is fully operational and its state is saved
across service restarts.
8. Do not clean up any services or secrets if you intend to proceed to the next
example, which demonstrates how to rotate the MySQL root password.
### Example: Rotate a secret
This example builds upon the previous one. In this scenario, you create a new
secret with a new MySQL password, update the `mysql` and `wordpress` services to
use it, then remove the old secret.
> [!NOTE]
>
> Changing the password on a MySQL database involves running extra
> queries or commands, as opposed to just changing a single environment variable
> or a file, since the image only sets the MySQL password if the database doesn’t
> already exist, and MySQL stores the password within a MySQL database by default.
> Rotating passwords or other secrets may involve additional steps outside of
> Docker.
1. Create the new password and store it as a secret named `mysql_password_v2`.
```console
$ openssl rand -base64 20 | docker secret create mysql_password_v2 -
```
2. Update the MySQL service to give it access to both the old and new secrets.
Remember that you cannot update or rename a secret, but you can revoke a
secret and grant access to it using a new target filename.
```console
$ docker service update \
--secret-rm mysql_password mysql
$ docker service update \
--secret-add source=mysql_password,target=old_mysql_password \
--secret-add source=mysql_password_v2,target=mysql_password \
mysql
```
Updating a service causes it to restart, and when the MySQL service restarts
the second time, it has access to the old secret under
`/run/secrets/old_mysql_password` and the new secret under
`/run/secrets/mysql_password`.
Even though the MySQL service has access to both the old and new secrets
now, the MySQL password for the WordPress user has not yet been changed.
> [!NOTE]
>
> This example does not rotate the MySQL `root` password.
3. Now, change the MySQL password for the `wordpress` user using the
`mysqladmin` CLI. This command reads the old and new password from the files
in `/run/secrets` but does not expose them on the command line or save them
in the shell history.
Do this quickly and move on to the next step, because WordPress loses
the ability to connect to MySQL.
First, find the ID of the `mysql` container task.
```console
$ docker ps --filter name=mysql -q
c7705cf6176f
```
Substitute the ID in the command below, or use the second variant which
uses shell expansion to do it all in a single step.
```console
$ docker container exec <CONTAINER_ID> \
bash -c 'mysqladmin --user=wordpress --password="$(< /run/secrets/old_mysql_password)" password "$(< /run/secrets/mysql_password)"'
```
Or:
```console
$ docker container exec $(docker ps --filter name=mysql -q) \
bash -c 'mysqladmin --user=wordpress --password="$(< /run/secrets/old_mysql_password)" password "$(< /run/secrets/mysql_password)"'
```
4. Update the `wordpress` service to use the new password, keeping the target
path at `/run/secrets/wp_db_password`. This triggers a rolling restart of
the WordPress service and the new secret is used.
```console
$ docker service update \
--secret-rm mysql_password \
--secret-add source=mysql_password_v2,target=wp_db_password \
wordpress
```
5. Verify that WordPress works by browsing to http://localhost:30000/ on any
swarm node again. Use the WordPress username and password