That's on you. Has nothing to do with Xenforo. It will occur with any forum platform or other kind of website. Modern web browsers. Specifically the latest versions of Chrome and Firefox at this point will now inform users of the fact that data they input is being transmitted in the clear.
The solution is to implement an SSL certificate. Can be done free with letsencrypt if your host offers support or you run your own server. Can also be had for next to nothing elsewhere.
Without TLS encryption people's passwords are transmitted across the internet unencrypted.
You can inform your users of what is going on and also inform them this has been the same for years. The web is just no longer gently nudging site operators towards encryption.