I am new to docker and have been working through various tutorials for working with websites including WordPress. The following docker-compose code seems fairly standard and it works fine for me:

db_node_domain:
 image: mysql:5.7
 volumes:
   - ./db_data:/var/lib/mysql
 restart: always
 environment:
   MYSQL_ROOT_PASSWORD: mystrongpassword
   MYSQL_DATABASE: wordpress
   MYSQL_USER: wordpress
   MYSQL_PASSWORD: wordpress
 container_name: wp_db
 networks:
   - "proxy-tier"

wordpress:
 depends_on:
   - db_node_domain
 image: wordpress:latest
 ports:
   - "8080:80"
 expose:
   - "8080"
 restart: always
 environment:
   VIRTUAL_HOST: blog.mydomain.com
   LETSENCRYPT_HOST: blog.mydomain.com
   LETSENCRYPT_EMAIL: foo@mydomain.com
   WORDPRESS_DB_HOST: db_node_domain:3306
   WORDPRESS_DB_USER: wordpress
   WORDPRESS_DB_PASSWORD: wordpress
 container_name: wordpress
 networks:
   - "proxy-tier"

To improve security, I want to use different username and stronger passwords for MYSQL_USER and WORDPRESS_DB_USER but if I make any changes at all in them I get 502 Bad Gateway from nginx. Can I not change these - or is it even necessary when the containers aren’t exposed directly to the outside world?

The problem is that the mysql container is allready created with your original password, so the “easy” solution would just to delete the mysql data and start over.

Or you can try to change password if you are familiar with mysql cli

docker exec -ti MYSQL-CONTAINER-NAME mysql -u USER -pPASS

Got it sorted, thank you. I’m still a newbie to Docker and didn’t think about the previous data persisting in the volume declared in the docker-compose file.

In your mysql section, you have:
volumes:

• ./db_data:/var/lib/mysql

which will mount your local db_data to /var/lib/mysql, so data in the container now is on your host.
if you delete this part, you will get a fresh mysql database everytime you re-create it

Yes, that is exactly what I did