Credit: AJ Dexter firstname.lastname@example.org from IHackCharities.org
This one is more of a feature request, but also a problem.
When a user logs in the credentials are sent over the network plain text. Meaning someone on the same physical network as the user would be able to intercept the administrator username and password.
A helpful fix would be an option to require an SSL connection for the login page, or a redirect to SSL.