Managing WordPress over a non-secure web connections is inherently a security risk, because your authenticated user session is transmitted within your cookies and is visible to prying eyes.
This is why you should use this plugin's Login Guard features to prevent login from non-validated IP addresses.
This is the default action for WordPress. And so it should be, because most sites do not have SSL certificates installed.
Important: Please only enable this option if you have a valid and tested SSL certificate for your site. If you enable this option and you don't have SSL enabled, you will be locked out from your site and unable to login.
This setting is the equivalent of adding the FORCE_SSL_ADMIN definition to the wp-config.php. For more details read the blog article here.