Firstly - where did you get that the database is available from outside? Is there a config from the database? 99.9% of providers block access to the database from the outside, everything works only through the localhost.
Secondly, it is much easier to break through the code than to brute muscle passwords. read a fresh article from a pintester on Habré, you will learn a lot of interesting things.

The base must never be accessible outside!
Port 3306 must be accessible only from localhost, otherwise everything will repeat itself.
In order to connect from another computer, you need to do either port forwarding via SSH (ssh [email protected] -L 3306:127.0.0.1:3306 -N) or configure a VPN.

Everyone writes about injections correctly, but this is not the only way to hack the base. Here is a list of known vulnerabilities , most of which are closed already. But this does not mean that there are no others besides the famous ones.

Hacking through the port is real if it is open, not protected in any way from brute force and simple passwords are used.
in the case of professional hosters, they usually do not like to open mySQL out to all addresses, and if they do, then they have brute force protection configured.
but I note that opening port 3306 for the public is exotic today and those who do this usually understand very well what and why they are doing (or finally they don’t understand anything in administration).

How can you hack through the port? Is it real, etc.

A database on an open port provides additional vectors for attack, such as brute force or exploit (a very revealing variant of CVE-2012-2122 ). This can be avoided by closing access to port 3306.

about protecting mysql, I only know about SQL injections and that I need a normal password (whatever they could not pick up).

Databases are mostly hacked through errors in the site code and insufficient filtering of incoming data.
You need to check the code for the possibility of SQL injection, since it becomes possible to extract the root password. And finally, check for XSS, since you can steal administrator session Cookies and work with the DBMS through the phpMyadmin panel. To do this, you will need programs such as SQLmap, MetaSploit, Arachni.
There are special resources, vulnerability scanners that can check most vulnerabilities, for example:
https://metascan.ru
https: //acunetix.com/
https: //detectify.com/

A hundred years in the afternoon of such a hack) They hack through a holey phpmyadmin, which you have available at
site.com/phpmyadmin
Change the standard address and disable access for the root user (usually enabled by default), or even better, delete phpmyadmin
wallet, you will find confirmation of the same fellow in misfortune.

They could have been hacked if the port was sticking out. They could break it if somewhere on the hosting, say phpmyadmin, (maybe on another account) and the port was closed. I don't think there should be any more questions.

Not through the port!
2 options:
- on the server there is an old, not updated phpmyadmin, which, if not needed, is better to turn off completely by renaming the folder
- on the server, the old php, for example 5th.