diff --git a/src/infrastructure/templating/docker_compose/template/renderer/docker_compose.rs b/src/infrastructure/templating/docker_compose/template/renderer/docker_compose.rs
index 522bf14e..bec247c6 100644
--- a/src/infrastructure/templating/docker_compose/template/renderer/docker_compose.rs
+++ b/src/infrastructure/templating/docker_compose/template/renderer/docker_compose.rs
@@ -301,10 +301,10 @@ mod tests {
             "Volume should use local driver"
         );
 
-        // Verify port mapping
+        // Verify port is NOT exposed (security fix: https://github.com/torrust/torrust-tracker-deployer/issues/277)
         assert!(
-            content.contains("3306:3306"),
-            "Should expose MySQL port 3306"
+            !content.contains("3306:3306"),
+            "MySQL port 3306 should NOT be exposed externally for security"
         );
     }
 
diff --git a/templates/docker-compose/docker-compose.yml.tera b/templates/docker-compose/docker-compose.yml.tera
index 7bd5b784..e61f47a5 100644
--- a/templates/docker-compose/docker-compose.yml.tera
+++ b/templates/docker-compose/docker-compose.yml.tera
@@ -176,8 +176,11 @@ services:
 {%- for network in mysql.networks %}
       - {{ network }}
 {%- endfor %}
-    ports:
-      - "3306:3306"
+    # SECURITY: MySQL port is NOT exposed to the host/external network.
+    # - Only the tracker container can access MySQL via Docker's internal database_network
+    # - The healthcheck runs inside the container, so no external port is needed
+    # - This prevents unauthorized external access to the database
+    # See: https://github.com/torrust/torrust-tracker-deployer/issues/277
     volumes:
       - mysql_data:/var/lib/mysql
     command: --mysql-native-password=ON