When the user clicks on the Forgot Password in during a sign-in/login process its sends the user in clear text the password. For security purposes I think it would be better to not send the user's password; instead send them a link to create a new password. 

Passwords are stored in the database as plain text, it would would be nice if some level of encryption could be used for them.

These would be a couple of small things that could help with site security.