I'm a bit late to this party (*waves n00b flag*) but I wholeheartedly second this suggestion. Plain HTTP is super easy to sniff, either while it transits the internet or when a user is sharing an unencrypted network (e.g. coffee shop wifi).
Having your traffic sniffed is not such a big deal if all they got was the site content (oh no, somebody might be able to see the forum posts!), but a malicious person sniffing the traffic can get the PHP session keys (allowing them to masquerade as a user) or even user passwords if the attacker gets a chance to eavesdrop on the login activity.
This might a known issue that's being worked on and if so, sorry for blabbing on about it lol. Just wanted to give my $0.02 on the matter. Cloudflare and/or Let's Encrypt make setting up SSL much simpler than it used to be