Not using HTTPS to pass credentials is a big security risk.
I get that this is just a forum, but an account's user can lose credibility really fast if something starts doing a massive spam campaign. It looks like there is a lot of attention to detail to mitigate spam with captchas and whatnot so why not just enable HTTPS?
This can be done for free too.
https://medium.freecodecamp.org/free-https-c051ca570324