people need a user account on my site to be able to download a plugin. I want to add an activation function in the plugin so a user must supply their username and password the first time they use the plugin to make sure that they have a valid user account on my site before they can use it
what is the simplest way to remotely check a username and password to see if it valid or not from within a php file?
I don’t want to enable xml rpc on the site.
Its nonsensical to lock activation, unless the functional part of your code remains on your site. You essentially can make a service that you hide behind a login or apikey (like akismet) which may or may not make sense for your plugin.
Calling home for permission to activate is a terrible idea, because idealistically, it’s a violation of the GPL (won’t earn you any fans or loyalty), and pragmatically, the client can easily change the code to not require the permission (won’t earn you any money either).
You could deny auto-updates and support behind a support contract, but that’s different isn’t it? In that case you cache the login info into an option and transmit that back you your server each time it requests the update zip. Your server checks the validity of the info before sending the update archive.