We’ve given up for now trying to get the XML-RPC interface to WordPress both to require SSL and to actually work consistently across third-party applications, and are switching to a mode of offering but not requiring SSL for XML-RPC, and ensuring that authentication is done with a non-NetID password. Users will be able to generate a WordPress “passcode” that will work for XML-RPC apps, while still logging in with their NetID when using a web browser.
This is being tested currently and should be put in production soon.