We have TLS!!!
Thanks for the work, this was important to secure credentials, even tho the site may not have too much critical data, but it is amazing what people can do when they impersonate someone (ATO=Account Take Over).
For IPv6, well, time to move to the modern world People are on mobile, most mobiles in the USA are on IPv6, allowing direct connections to services (no NAT). In Europe, depending on the country, it is there too, in a significant way…
But yes, this is not mission critical for this site. I think 2FA, would be something to achieve first, tho, it does not stop to work on them in parallel.
To add to the security list, and speaking of 2FA, I noticed there is no anti-abuse mechanism on the signup page. At least it is good, you have to validate your email address before having access to the site, but it is often not enough to limit mass fake signups. A simple suggestion is to add a Captcha, and if possible rate limit the number of signup per IPs.
And finally, for email security reasons and anti-phishing of login and passwords, may I suggest you setup DMARC on the domain name. This will greatly stop people from sending emails on your behalf.
Anyhow, many thanks for the hard work in setting up this awesome community site. Sorry to be demanding, but security needs to be pro-active, rather than reactive, by the time you experience issues, it is too late, data is gone, harm is done. Please consider these fixes to be made in the (very) near future.
Once again, thanks for the time spent in this.