I’ve done what I’ve thought is everything I can to secure Yourls to prevent the general public from submitting URLs to my shortener.
A month ago I had one “hacker” submit a link that was then used to attack Amazon which resulted in my Host “revoking” the shortner until I fixed it.
I then went in and attempted to lockdown/prevent the public from using the API to submit urls. My thought was I wanted to prevent anyone without an account/login from submitting new urls.
Today; I logged in and found another “spam” link… so clearly I didn’t lock it down enough.
So; I’m about 90% sure I followed all the guidelines I could find to secure Yourls; yet people are still able to abuse the system.
What I want is a plugin / code change which prevents ANYONE from creating urls without being logged in. No anon public urls … only if it’s attached to a specific account which I control.