I regularly get reports or call for helps about YOURLS installs that are flooded with spam links despite being configured as private (ie constant YOURLS_PRIVATE set to true, as 99% of installs should have)

In 9 cases out of 10, the “problem” is that the user also has set up an unprotected public interface through which anyone can shorten links. Seriously. PEBKAC, really.

But a kind and smart user also brought to my attention a (stupid) server default config that can make your YOURLS install spamable: on some machines, filename.php.txt is interpreted as a PHP file instead of a text file.

In other words, when loading sample-public-front-page.php.txt in your browser, instead of seeing code in a text file, you might see this:

Check right now that your server is properly configured. If that’s not the case, delete or rename those *.php.txt files and poke your server admins because I’m pretty sure that’s not how a web server is supposed to run.

Note: if you’re purposely running a public YOURLS install and you are getting spam, that is another matter. There are numerous anti spam plugins for YOURLS. Use them.