Aren't that ironic somehow a mixing site that should provide a tool to make Bitcoin become full anonymity are using a questionable service like Cloudflare, and also Google analytics. Don't get me wrong, but those services aren't privacy-oriented.

With regret, I am (for now) admitting defeat on the DDoS front, and we will soon be using using Cloudflare to protect against DDoS attacks.

I really don't believe in willingly putting a man-in-the-middle in your HTTPS like this

Cloudflare can see your unencrypted password when you log in. It's still encrypted from the real server to Cloudflare and from Cloudflare to you. So it's not blatantly insecure except in that Cloudflare is very probably an NSA honeypot