You should probably go over to HTTPS for the whole website.
If you really insist on having an insecure main site, the login form should at least be over HTTPS, otherwise an attacker can just read the admin username + password.
I don't know much about IP-address spoofing, but it seems like a very fragile system that would break for dynamic IP allocation, and I don't think relying on that will be a good idea.
IIRC, a site served over HTTPS will give warnings if subresources are loaded over HTTP, but not the other way.
The problem with self-signed certs is that the user will have to add an exception to trust the cert, so if there is a man-in-the-middle attack, they will likely think the cert needs to be re-trusted.
You're much better off just using a service like Let's Encrypt, which is free and can very easily be automated, for the entire website. You reduce a lot of risk for your users that way, both admin and non-admin.