I feel obligated to echo the imperatives of other monks to use SSL. If you don't have the money to pay an organisation like VeriSign (not that I would give them a penny after their .com fiasco), you can create a self-signed certificate which -- although not signed by an established CA -- grants you the intended benefits of SSL, for free1. If you're using Apache, it ships with documentation on creating a self-signed certificate. And (at least in 2.x, haven't checked into SSL on a 1.x server yet) the SSL configuration file is extremely well-commented, so you should have no problems setting it up.
----
1: Okay, so your users have no reason to believe that it's you who signed it. But by accessing your site right now without SSL, they're saying how much they trust you, so I think that that's a moot point.