It's actually very easy to implement your own authentication. You should use either Argon2 or Bcrypt to store passwords. If the website is small, you shouldn't use JWTs (see https://blog.ploetzli.ch/2024/should-i-use-jwt-for-authentic...). Ideally, you should use an encrypted HttpOnly cookie with SameSite=strict, etc. which you can optionally sign just like you would sign a JWT although that's unnecessary. You might also find this useful: https://cheatsheetseries.owasp.org/cheatsheets/Authenticatio...
As long as the salt is an actual salt (i.e. unique random value for each user entry), it's not a disaster, but it's going to significantly easier to crack a password that was hashed once than one that's gone through hundreds of thousands of hashing iterations or used a more advanced algorithm like argon2 which is more resistant to cracking by design.
The recommendation that I'm familiar with is to increase the cost as high as your servers can reasonably bear. High number of iterations and more advanced algorithms will increase the load on your servers but in turn they'll also provide much better protection.
I've used randomly salted SHA512 to create a stored password. What's wrong with that?