Note added June 18, 2020: When this post was originally written, TLS/SSL certificates could be expensive and difficult to install. Fortunately, things have changed for the better over the last few years. Many web hosts will give you a free Let's Encrypt certificate, and they make it easy to install. Another thing that has changed is that browsers and search engines expect all sites to have a security certificate. So, you really should use a TLS/SSL certificate, rather than using one of the plugins described in this post.
Note added August 9, 2013: Because Semisecure Login Reimagined hasn't been updated in over 2 years, I switched to the Chap Secure Login plugin a few months ago. As far as I can tell, it does basically the same thing as Semisecure Login Reimagined, and it was last updated May 2013.
Note: This page contains affiliate links. Please see Affiliate Disclosure.
It's dangerous to send your WordPress username and password over the Internet unencrypted. The best option is to secure your login page with SSL. If that's not an option, use the Semisecure Login Reimagined plugin instead. I've used this plugin on several sites for years.
Below are screenshots of the login page before and during login. The plugin puts its messages just above the Remember Me checkbox. The red outline and asterisks in the 2nd screenshot are from a password manager.
Here's more information about this plugin from the WordPress Plugin Directory (Description and FAQ):
Description
Semisecure Login Reimagined increases the security of the login process by using a combination of public and secret-key encryption to encrypt the password on the client-side when a user logs in. JavaScript is required to enable encryption. It is most useful for situations where SSL is not available, but the administrator wishes to have some additional security measures in place without sacrificing convenience.
How does this work?
A user attempts to log in via the login page. If JavaScript is enabled, a secret-key is generated and used to encrypt the password along with a nonce, the public-key encrypts the secret-key, and the original (unencrypted) password is not sent. The server decrypts the secret-key with the private-key which is used to decrypt the password+nonce. The nonce is verified before handing the password over to WordPress for verification.
If JavaScript is not enabled, the password is sent in cleartext just like normal. This is inherently insecure over plaintext channels, but it is the default behavior of WordPress.
Is this really secure?
Short answer: No, but it's better than nothing.
Without SSL, you're going to be susceptible to replay attacks/session hijacking no matter what. What this means is that if someone is able to guess or learn the session ID of a logged-in user (which would be trivial to do in an unprotected wireless network), then essentially they could do anything to your WordPress site by masquerading as that user.
So what's the point?
The point of this is to prevent your password from being transmitted in the "clear." If someone is in a position where they can learn your session ID, under normal circumstances, they'd also be able to learn your password. The proper use of this plugin removes that possibility.
How can I make my site REALLY secure?
Use SSL. This means you'll have to have a dedicated IP (which usually costs additional money) and an SSL certificate (which is expensive for a "real" one, but if you're just using this for your own administration purposes, a "self-signed" certificate would probably suffice). Any more detail on these two things is beyond the scope of this document.
This is an excellent plugin. The only problem is it hasn't been supported for over 2 years and I have yet to find a suitable replacement. 🙁
Gary, I switched to the Chap Secure Login plugin a few months ago. As far as I can tell, it does basically the same thing as Semisecure Login Reimagined, and it was last updated May 2013.
Great, I was also looking for alternative. Now I got it, thanks to you. Cheers!