Thanks!
I think I'll try the sledgehammer approach first.
It really is very basic, but since it's going to be open to the public (and already posted on a public forum) I'd like it to be reasonable safe. Especially since I've been checking my access.log for Apache lately and there's a number of requests for certain config files that do exist on one of my servers, but not accessible via the web server. Basically people trying to steal some usernames and passwords, but they can't get to the them thankfully.