How about using a script which can only be run by "nobody"?

hmmm...
what exactly do you mean? cant be run by anyone?
with what are you going to limit this? .htaccess? or chmod?
and if no one can access it why does it exist?
it seems odd to me, or i didnt quite understand what you ment?

I may be crazy, but I'm not that crazy. If I had meant that the script can't be run by anyone, I would have written nobody, without the quotes. When I wrote "nobody', with quotes, I was referring to the special user called "nobody" on many UNIX-type systems. If I'm not mistaken, the user "nobody" is the server itself, and if one sets the owner of a script to "nobody", and then has it writable, executable, whatever, only by the owner, it can't be run except by a process on the server itself, not by an ordinary user. Of course, I may be wrong.



CHMOD, as above.



To preserve the spiritual balance of the Universe.

You obviously didn't understand what I meant, but it could be that what I was suggesting is impossible. Somehow, though, I seem to remember seeing scripts which were really written that way.

you are suggesting a good idea...
though it will require some kind of gateway script that will make the request on the other script so it will originate from the server itself...
otherwise the origin even on regular surfing is always from the user.
what you are suggesting can be done, and ive seen it, its quite good protection...

I suspect that there's something very simple which would be pretty effective in practice, if not in theory: Just have the script check the referrer. It's true that the referrer can be spoofed very easily, but whoever hacks the site isn't going to know immediately why he got a 403, or whatever, and he often won't have any overwhelming interest in hacking a particular site, unless it's a professional hacking a bank site, or whatever. I suspect that most of the vermin who hack other people's Web sites are script kiddies trying to feel important: if they (or their robots) can't get in immediately, they'll just go elsewhere.

Like the lock on a door, Web security doesn't have to be perfect, and never will be. It just has to be good enough to make hacking that site a waste of the guy's time.

I have two desktop machines always online protected only by minimal and very standard security, and I've never been hacked (yet).

true enough, personal computers dont usually get hacked by people,
but by worms or other automatic tools, but i think we are going off the subject here.

the subject was site protecting..
and sites, depending on thier content can attract more serious and more skilled poeple to try and brake it.

and i agree that security cant be perfect...

Well, I was really referring to my Web sites as well, but I decided to phrase it as if I were talking only about my desktop machines because I believe in keeping a low profile, also for security reasons.

Of course, thousands of people per week do find my sites, and I wouldn't want them to stop, but as the lady said, why look for trouble? On the other hand, it could really be that the bad guys don't find my sites "serious" enough. So much the better.

Make sure all of your moderators and administrators use non-dictionary-word, 'strong' passwords, consisting of 8 or more letters and numbers.

You can add .htaccess protection to your Admin and Mod CP directories, although if you guard your passwords and stay up to date with vBulletin releases, this is somewhat overkill. Although I guess it can't hurt.