Opening up Port 3306 to the public is, indeed, asking for trouble. It’s another port being exposed and it’s another port that can be attacked (port 3306 is the default MySQL port - it’s well know and it will be a port listed in any automated attack).
You can, however, use a firewall to limit who can connect (i.e. limit connections from only your local IP and your web server(s)), though ultimately, you should simply use a tool, such as phpMyAdmin or Adminer to manage database access (and limit access to this as well – don’t rely on basic password authentication through the script, use .htaccess to only allow your IP and then setup a username and password).
Even better, don’t use a public IP or
localhost to connect to MySQL, use a Private Network IP (which would be provided by DigitalOcean). You’ll still need to setup firewall restrictions on the Private IP as well, though.
Ideally, you want to setup your firewall to deny all connections by default and then add rules that allow certain ports through, thus resulting in all connections being denied except to those which you specifically allow.
The most common ports you’ll need to keep open are:
80 - TCP - for HTTP
443 - TCP - for HTTPS
22 - TCP - for SSH (swap 22 for your SSH port number if you’ve modified it)
53 - UDP - for DNS
53 - TCP - for DNS if you’re running Bind (i.e. a DNS server)
This excludes mail server ports. I didn’t list those simply because they often vary.