You can't encrypt it browser-side before sending. You'll need SSL to do that.
If you wanted to custom-code a challenge-response system, you're welcome to do so. The /admin/login.php file is where you'd do it.
Some folks double protect the folder via .htaccess. However, this again is not encrypted unless the area is secured via SSL.
At $18 I'm not sure why SSL would be much of a problem ... esp since most hosts offer shared SSL for no cost. Shared SSL doesn't make the URL pretty, but as you said, it's functionality you're after.



