AFAIK, if you're not in https, worst case situation is someone can steal your session ID, although I'm not sure it'd allow them to do a lot...
Login page in https means your hashed password is transmitted safely, but people can't steal your password itself, only your access to your account, which is barely better than getting a session ID.
Hmm, makes me think... Shouldn't we store two hashes for admins...? One hash for their account, and one hash for their admin verification (same password, different salt). That would probably make the whole thing even safer, I don't know..?
Regarding https, last week I spent a couple of hours configuring a free SSL certificate for wedge.org, until I realize, at install time, that it required to have a stand-alone IP, i.e. no virtual host, like wedge.org is using... Oops! So, that's a waste of a certificate for me, I guess... Unless I move to a server with a dedicated IP :-(
And I'm not ready to move yet, as I switched ISPs this month, and the new one has a shorter and faster path to alwaysdata.com, meaning the site is finally blazing fast for me... :lol: Unless the server was upgraded in the meantime, I don't know...