Getting spam links in YOURLS? Read this.

I regularly get reports or call for helps about YOURLS installs that are flooded with spam links despite being configured as private (ie constant YOURLS_PRIVATE set to true, as 99% of installs should have)

In 9 cases out of 10, the “problem” is that the user also has set up an unprotected public interface through which anyone can shorten links. Seriously. PEBKAC, really.

But a kind and smart user also brought to my attention a (stupid) server default config that can make your YOURLS install spamable: on some machines, filename.php.txt is interpreted as a PHP file instead of a text file.

In other words, when loading sample-public-front-page.php.txt in your browser, instead of seeing code in a text file, you might see this:

your-server-sucks

Check right now that your server is properly configured. If that’s not the case, delete or rename those *.php.txt files and poke your server admins because I’m pretty sure that’s not how a web server is supposed to run.

Note: if you’re purposely running a public YOURLS install and you are getting spam, that is another matter. There are numerous anti spam plugins for YOURLS. Use them.

Short URL to this post: http://yourls.org/ax

7 thoughts on “Getting spam links in YOURLS? Read this.

  1. I suspect this is the very reason I was getting so many spam links.

    For what it’s worth, I host on Bluehost, one of the largest hosts. I navigated straight to myyourlsinstall/sample-public-front-page.php.txt and it loaded exactly like you say.

    Thanks for getting to the bottom of this.

  2. Thanks.
    mmm…to avoid numerous links without clicks you can automatically delete the link with 0 clik after 7 or 10 days?
    (Sorry for my English)

  3. Thanks for posting this, the .txt files load like php on a hostgator shared account and is likely the cause for my spam/headache.

    I wonder if it’d be worth (for your sake, to avoid unecessary questions!) to add something like this on those samples:

    if( preg_match(‘/*.txt^/’, $_SERVER[‘REQUEST_URI’]) ){ die(‘No!’); }

Comments are closed.