It is definitely possible to implement pretty reliable solution. But this must be done server-side.

Basic rule of security: you don’t trust client data.

Move all your checks to PHP and make your javascript as dumb as

$(".vote").click(function(e) {
    $.post('/vote.php', vote_data, function(result) {
        // update UI according to returned result
    }
}

It’s a common thing, however, to still do checks on the client, but as a way to improve usability (mark required form fields that weren’t filled) or reduce server load (by not sending obviously incomplete data). These client checks are for user’s comfort, not for your security.

Answering to your updated question:

If you store full log of when which user voted for which question, then yes, it’s pretty easy to prevent multiple voting (when user can vote for the same thing several times). Assuming, of course, that anonymous votes are not allowed.

But if you have a popular site, this log can get pretty big and be a problem. Some systems try to get away by disabling voting on old articles (and removing corresponding log entries).

What if someone intentionally tries to hack me?

There are different types of attacks a malicious user can perform.

CSRF (cross-site request forgery)

The article lists some methods for preventing the attack. Modern Ruby on Rails has built-in protection, enabled by default. Don’t know how it is in PHP world.

Clickjacking

This attack tricks users into clicking on something what isn’t what they think. For example, they may click “Play video”, but the site will intercept this click and post on user’s wall instead.

There are some articles on the Web as well.

• Wiki on clickjacking
• 5 ways to prevent clickjacking
• Javascript to prevent clickjacking