Binding to address Edit
MPD is insecure by default: it binds to all IP addresses/interfaces on the host machine, typically allowing anyone who can reach you on the network to connect to MPD, manipulate MPD, list all your music files, etc. There are several options to making MPD more secure. One is to set "bind_to_address" option in the mpd config file (an example config file is provided with the MPD source and there is an example in the MPD man page). For example, to only allow connections for localhost host, set "bind_to_address" to "localhost". Another option is to enable password authentication. Please read the 'man mpd' page for more info on enabling password authentication, but note that passwords are sent in the clear over the network. And, of course, another route to securing MPD would be to use a firewall, iptables or ipchains.
Running as non-superuser Edit
Even though there are no known root exploits in running MPD as root, it's much more sane to run any daemon that does not require root access as a non-superuser. The "user" configuration parameter of MPD is the method to accomplish such a task (an example config file is included with the MPD source and an example is located in the MPD man page). Setting "user" will drop root priveleges and run MPD as the user specified (some might call this "setuid" support).
SSH Tunnel Edit
If you have login access to a machine running SSH, you can use a client to communicate to the daemon over an SSH tunnel which to forward local connections to a $MPD_PORT (6600) to the $MPD_PORT at $MPD_HOST.
You can setup your ssh tunnel with one command:
ssh -N -L6600:127.0.0.1:6600 username@$MPD_HOST
Now point your local MPD client to your localhost and everything should work.
This way, your machine running MPD can even have bind_to_address set to "localhost". This works for other TCP/IP-enabled daemons, too and is not specific to MPD.