I’ll keep this short and sweet – a very serious problem has been found with XRT. This problem could allow a knowledgeable attacker to view your Textpattern password in clear text.
This has been caused by a big oversight on my part – I left in some debugging code by accident. This debug code makes XRT log all incoming/outgoing XML-RPC data. Thanks to Sencer for bringing this issue to my attention.
A fixed version of XRT 1.0 is available for download here – upload the contents of the xrt-v1.0 directory to the location of you textpattern installation (usually /textpattern). The next time that you access your site with an XML-RPC client the log files will be deleted (if they exist). Alternatively, running the xmlrpcs.php file directly in a browser window should have the same effect.
I can only apologise for this – it’s a stupid, amateurish mistake, that should have been picked up on a lot sooner than now. Sorry!