Support

The popup you are seeing is the Password Protect Administrator feature of Admin Tools. It adds an extra HTTP authentication layer in front of the Joomla administrator area, making it much harder for attackers to reach Joomla’s own login page.

The reason this popup is appearing on the frontend of your site is that the JomHoliday component loads some of its resources (CSS, JavaScript, or similar static files) directly from the administrator/components/com_jomholiday/ directory and serves them on frontend pages. Because Admin Tools’ Password Protect Administrator feature protects everything under the administrator/ directory by default, those resource requests also trigger the authentication popup in your visitors’ browsers.

This is a long-standing bad practice in Joomla component development. Since Joomla 1.5 (released in 2008), the correct location for static resources shared between the frontend and backend has been the media/ directory. Joomla 4 (released August 2021) made this requirement more emphatic by deprecating the mechanisms developers previously used to bypass it, and Joomla 7 will remove those mechanisms entirely — which means JomHoliday will break on that version. You may want to report this to the JomHoliday developers.

In the meantime, here is a workaround that will stop the popup from appearing on your frontend:

1. Log in to your Joomla administrator area.
2. Go to Components → Admin Tools.
3. Click Password Protect Administrator in the left-hand column.
4. Change the Administrator resources to protect option from Everything to Joomla.
5. Re-enter your desired username and password and save.

Setting this to Joomla restricts the HTTP authentication to Joomla’s actual backend login page only, rather than everything under the administrator/ directory. JomHoliday’s frontend pages will no longer trigger the popup, and your administrator login page remains protected.