No bot would ever care about the version string returned, as this could be forged anyway. They don't even care if a particular application is installed at all. They simply try out all attacks/exploit that they have in its database and hope that one of them is successful.
If you want to harden your YOURLS installation, simply add password protection to the admin/ directory. As a side effect, this wil hide the login page with the version string, too.
You can improve security even more by not giving the PHP interpreter write access to the webserver's document_root. Of course, this would break auto-update mechanisms of CMS like Wordpress or Drupal. But as usually: There is no free lunch. The more you secure your installation, the less comfy it is for you to use and administer it.