There's a common misconception that SSL certificates are not needed if a website has no "sensitive" data worth protecting.
At OC, we contend that every login or registration form should be SSL encrypted, no matter if there's 1 user account or 10,000. Sites with only internal users can get by at zero cost. A real SSL cert can cost as little as $20-30 a year.
The SSL protocol encrypts sensitive data moving between a web browser and a web server. It's also used between servers, like with API calls. Visit PayPal, eBay, or any bank site and you're likely to see a URL starting with https://. Modern browsers even use visual indicators like a yellow or green location bar and padlock icons.
At the very least SSL should protect admin login credentials. You know, the one which controls an entire CMS/website. If there are registered users then the stakes can be even higher.
Imagine I'm a hacker in a public place with a cheap wireless network. I use readily available tools to sniff out email addresses and passwords submitted to unencrypted forms. The odds are pretty good that at least one of these folks uses the same email address and password for other websites. I login to their webmail and do a quick search of old emails for words like "password" or "bank statement" or "paypal". A few minutes later I find emails divulging online banks and probably even a few clear-text passwords. The rest is history.
Self-signed certificates can be created and installed with a bit of practice. If you need an official signed cert then quick and cheap ones can be had within hours. Scripts and instructions on both methods are all over the web. Though, expect to spend a few hours of tweaking and testing the first time.
While some shared hosting environments come with SSL certs, it's likely you'll need root-level access to install your own.
After installing an SSL certificate it's important to force pages with sensitive forms to always use the https:// version of the URL. This can be enforced with 301 or header redirects. Since SSL comes with overhead it's equally important to redirect back to http:// when https:// is not necessary.
In Drupal, the Secure Pages module makes enforcing secure vs non-secure pages very easy. We've accomplished the same in Wordpress with a few lines of code, but there's probably a plug-in.
This is functionality many visitors wouldn't realize is missing, and many web developers don't bother to force. Yes, the odds are slim, but it's another layer. It's solving a problem that never happens.