Unsure if you’ve noticed, but the URL for this forum is insecure: http://forum.pkp.sfu.ca/ – being HTTP only, and HTTPS isn’t available. This means that any and all login credentials entered are transmitted in the clear and can be read and obtained by anyone on the network, as well as requests/responses being able to be tampered with.
Browsers like Firefox are already highlighting this problem like so:
and severity of errors will escalate with later browser versions.
If getting a SSL/TLS certificate is a problem, then may I suggest Certbot/Let’s Encrypt (http://certbot.eff.org/), the free certificate authority supported by all major web entities (https://letsencrypt.org/). It allows free certificates to be automatically issued and renewed, certs are supported in all major browsers, and plugins are available for all major web server software.
As a final point, I’d suggest that you email all users on the forum to let them know about the fact they should change their passwords. Given how simple it is to intercept HTTP-only traffic, this will help users stay safe (especially if they’re reusing passwords).