There’s been a lot of hype around a new tool that was released not too long ago called FireSheep. In a nutshell, FireSheep is an extension for FireFox that monitors the airwaves of public Wi-Fi to sniff out login credentials to popular websites such as WordPress.com, self-hosted WordPress installations, Twitter, Facebook, and more. Once those credentials have been located, FireSheep makes it easy for you to use them in order to gain access to someones account. In all actuality, this vulnerability is nothing new and has been around since the days wireless access was created. The only way to protect yourself from this vulnerability is to use an encrypted connection between your machine and the web server. This is typically handled via SSL.
If you want to protect your credentials for your self hosted WordPress installation, the following Codex article, Administration Over SSL is a good start. I’ve also learned thanks to Otto that the WordPress app for iPhone is also at risk from having credentials sniffed out because the app uses the XML-RPC protocol. Even using the app over 3G instead of Wi-Fi does not protect the data from sniffing.
We have a thread ongoing within the Tavern forum talking about FireSheep and data sniffing in general. As Otto points out, when in doubt, use encryption.
Think you might have misread me there. Using the WordPress app over 3G is fairly unlikely to get sniffed. So actually I’d say you’re probably safe there. It’s one of those “it’s possible if you’re a hacker who is presenting how to do it at DefCon” type of things.
I just don’t want anybody to get the impression that XML-RPC is insecure. It’s the traffic that is non-encrypted. XML-RPC is just the protocol being used, and yes, it has your credentials sent along with it.
WiFi is simply insecure in general. Public WiFi even more so.