A hardcoded second salt is called a pepper, and some programs use it. Unfortunately, with a popular and outdated PHP app like VBulletin, it won't be too difficult for an attacker to obtain both the DB dump and whatever configuration file that contains the pepper. All those PHP files just sit inside the document root, and everyone knows exactly where they are.