I don't know what you call "monitoring your website" but the message means that creds are sent in plain text. A simple Mitm attack or decrypting wpa/wep packets, or capturing packet on an open wifi network would show them clearly.
You should use ssh to protect them. Well... Even that can be broken with sslstrip.
Hope this helps !