diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4494af07..ee5763e2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,13 @@ Changes are organized by date, with the most recent changes listed first.
 
 ## 2026-04-12
 
+### 🐛 VHOST INSTALL SHELL CORRECTNESS & SECURITY FIXES
+
+- Removed invalid `local` keyword from `create_db_sql` declaration in `scripts/functions/vhost/vhost-install.sh`; `local` has no effect outside a function and was misleading.
+- Removed invalid `local` keyword from `SQL_ESCAPED_PSWD` declaration in `scripts/functions/vhost/vhost-install.sh` for the same reason.
+- Changed the `printf -v create_db_sql` format string from single quotes to double quotes (with backticks escaped as `\``) to satisfy shell best-practice linting (SC2016 — expressions don't expand in single quotes).
+- Replaced the IFS-manipulation subshell (`IFS='|'; echo "${MULTIPART_PUBLIC_SUFFIXES[*]}"`) used to build `MULTIPART_SUFFIX_CASE_PATTERN` with a `printf`-based join (`printf '%s|'` + trailing-`|` strip), eliminating the HIGH-severity IFS side-effect security concern.
+
 ### 🔒 VHOST INSTALL SECURITY & VALIDATION FIXES
 
 - Added explicit `return` statement at the end of `escape_sql_string_literal()` in `scripts/functions/vhost/vhost-install.sh` to satisfy shell best-practice linting (SC2151/explicit-return warning).
diff --git a/scripts/functions/vhost/vhost-install.sh b/scripts/functions/vhost/vhost-install.sh
index c817b02f..921b1e54 100644
--- a/scripts/functions/vhost/vhost-install.sh
+++ b/scripts/functions/vhost/vhost-install.sh
@@ -51,7 +51,8 @@ validate_db_identifier() {
     exit 1
   fi
 }
-MULTIPART_SUFFIX_CASE_PATTERN="$(IFS='|'; echo "${MULTIPART_PUBLIC_SUFFIXES[*]}")"
+MULTIPART_SUFFIX_CASE_PATTERN="$(printf '%s|' "${MULTIPART_PUBLIC_SUFFIXES[@]}")"
+MULTIPART_SUFFIX_CASE_PATTERN="${MULTIPART_SUFFIX_CASE_PATTERN%|}"
 
 # Check if services are running
 check_required_services
@@ -282,14 +283,12 @@ if [[ "${INSTALL_WORDPRESS}" == "1" ]]; then
 
   echo "Randomly generated MySQL database credentials for ${DOMAIN}."
 
-  local create_db_sql
-  printf -v create_db_sql 'CREATE DATABASE `%s` CHARACTER SET utf8mb4 COLLATE utf8mb4_uca1400_ai_ci;' "${DB}"
+  printf -v create_db_sql "CREATE DATABASE \`%s\` CHARACTER SET utf8mb4 COLLATE utf8mb4_uca1400_ai_ci;" "${DB}"
   if ! sudo mariadb -e "${create_db_sql}"; then
     echo "Error: Failed to create database '${DB}' for domain '${DOMAIN}'." >&2
     exit 1
   fi
 
-  local SQL_ESCAPED_PSWD
   SQL_ESCAPED_PSWD="$(escape_sql_string_literal "${PSWD}")"
 
   if ! sudo mariadb -e "CREATE USER '${USR}'@'localhost' IDENTIFIED BY '${SQL_ESCAPED_PSWD}';"; then