Kindergarten, pants with straps.
Naive dreamers have been asking this question for many years, but the answer has not changed during this time:
1. To cut off unlicensed use - no way to track it . A nulled version of your unfortunate engine will appear on the Internet a day after the release, in which all the checkers you can think of will be torn off.
2. It is necessary to sell not a program, but a service. Host your platform on your own server and charge a monthly usage fee. There are no other options to track usage, and there cannot be.

Add an auto-update system to your CMS so that the developer does not have suspicions about strange files sending requests to other domains. In the admin panel, give the opportunity to disable this auto-update and still continue to send requests once a day, requesting information about the new version.

If the CMS implies installation, then you can make a request one time during installation.
If CMS setup is meant, then the request can be made when performing this action.
In general, if I were pinned like this, I would make the installation a single file that pulled the sources from my server and deployed it on the client's server. Well, at the same time I would put a "tick" at myself.

1. Buying the engine has the right to put only one copy of the site? But what about a server for development and testing, for example? What if he doesn't have internet access?
2. What will you do if your scripts signal unlicensed use? This, in fact, is the best you can count on - all sorts of "prohibitions" there will still be broken, but the "knocker" may be missed. Well?
3. Look around. Where do you see people selling engines? Trade the possibility of updating, plugins and other services. Do you know why?..

1. Think over the mechanism: The engine does not work without entering a license key. Those. it is required that the activation of each function requires the presence of a certain key, requested from the server every few minutes. The more difficult and hectic the hacking is, the less likely it is that someone will bother.
2. You can organize requests in turn from several external IPs.
3. Each function must use different variables and access it directly, not through some single function, otherwise they will simply bypass it.
4. During installation, information from the server must be required to confirm the validity of the key. Then you will know who is from which domain.
5. It is possible to build in a mechanism for silently sending data, but then this should not happen immediately, but after some time. And it should not automatically block the domain, otherwise they will quickly reveal the chip. It’s better to quietly send the data, you receive it, and then write a comment proposal to the owners of the resource.

damn it, I specifically asked how to implement this, and not why do I need it and other philosophy

Easy.
We make a server based on a platform that does not require source codes in production.
1. That is, on the compiled one. And preferably not in byte-code, which is easily decompiled.
2. Yes, and to simplify the installation - compiled in native code
3. As you might have guessed, this is not PHP. Suitable C/C++, Go, Haskell. Java, Python is not suitable.
Hacking such a thing is too laborious.
PHP breaks too easily.
That is, you can not raise the price.
As soon as you raise the price a little, it becomes profitable to break.
And what is written in PHP breaks even without knowledge of PHP itself, seriously.

make a php request - but only on Mondays from 8 to 9 (day of the week and time is determined by the domain).