Are you afraid someone is going to copy your user table, and attempt a dictionary attack on the passwords? If so, then you have more to worry about than the way the passwords are encoded, since it is a "one way" hash. And even SHA1 is vulnerable to a dictionary attack with bad password selection. Not to mention that all existing passwords would be unrecoverable.
A better plan of attack would be to make sure your file server is secure, to prevent someone accessing the raw database, and consider moving your board to SSL encryption (https instead of http), using either a self-signed or purchased security certificate. Otherwise, your users' passwords are moving about internet unencrypted anyway.
And the code is login.php, profile.php, and admin/admin_users.php, but MD5 is used in other places, too.