Securing Yourls to prevent abuse

I’ve done what I’ve thought is everything I can to secure Yourls to prevent the general public from submitting URLs to my shortener.
A month ago I had one “hacker” submit a link that was then used to attack Amazon which resulted in my Host “revoking” the shortner until I fixed it.

I then went in and attempted to lockdown/prevent the public from using the API to submit urls. My thought was I wanted to prevent anyone without an account/login from submitting new urls.

Today; I logged in and found another “spam” link… so clearly I didn’t lock it down enough.

So; I’m about 90% sure I followed all the guidelines I could find to secure Yourls; yet people are still able to abuse the system.

What I want is a plugin / code change which prevents ANYONE from creating urls without being logged in. No anon public urls … only if it’s attached to a specific account which I control.

I’d very much like to know more about this… I presume you have your installation set to private, correct?

What sort of url can be used on your install externally that can create a link? So far, I’ve tried things and it doesn’t seem to be possible (unless a secret key is involved).

Also, noticed in the bookmarklet code “ozhismygod” haha… funny stuff.

define( ‘YOURLS_PRIVATE’, true );
in user/config.php

Also looking for debug techniques which may aid me in determining how they are getting access into the database.

99% of the times, people noticing spam have just open the door themselves, the first question I always asked is what cwldev asked, and you would not believe how many “hu… of course that’s the problem” I get.

So, second question would be : what have you done that differs from the basic stock unmodified default install. (plugin, custom settings, etc…) and ask yourself the potential side effects of such modifications.

Some other ways to explore:

  • check for modified files : for instance, is your config.php untouched? No other password? The best to make sure all files are unmodified is to remove everything and reupload everything :slight_smile: I once cleaned an infected WordPress install where malicious code was injected from the .htaccess, which of course I didn’t check before hours of investigating.
  • activated plugins
  • changing your passwords (YOURLS password, mysql password, server passwords, ftp password)

The key to security boils down essentially to keeping up to date everything, particularly what’s not YOURLS on the same account. Most of the time the vector attack is an outdated piece of script somewhere else. No point in having latest YOURLS if there’s a compromised WP in another directory.