All PHP applications should be using HTTPS now, as the arguments for not doing so have long been invalid. We can debunk some of them easily here.
Encryption is slow: This has not been the case for over a decade, as servers now have the ability to perform encryption in hardware (software encryption did add a noticeable penalty).
One certificate per IP address: This was due to a limitation in the HTTP protocol, whereby the Host header (which decides which virtual host the request is for) was sent after the secure connection had been established. This meant that the web server could not select a certificate to load based on the Host header, and therefore only one certificate could be used per IP address (this certificate could contain multiple hostnames, however this was impractical for shared hosting platforms). This problem was solved using the Server Name Indication (SNI) extension to TLS, where the hostname is provided as part of the establishment of the secure connection. Although it took some time for clients and libraries to be updated to support SNI, the last major holdout was Internet Explorer on Windows XP.
HTTPS should be secured using the protocol versions in SSL/TLS.