You will at least need to have a dedicated authentication server and database of users/purchases/licences.
Virtualised server offerings from AWS, Google Cloud, Azure, …, mean that you don’t have to worry about maintaining your own hardware, but you would still need to keep an eye on the latest security news and update your services accordingly. This is usually pretty low overhead in practice but not something you can ignore.
It’s possible that rolling your own anti-piracy will do more hard than good. Anything less than a comprehensive solution will get cracked pretty swiftly, and any measures you do put in may make the product worse for paying customers. I think there are two sensible strategies:
Do the minimum viable licence checking using your own authentication web infrastructure. Add just enough complexity to the licence check that when people download a cracked version it’s obvious that it’s not the same as the original version. If you plug-in becomes popular then a crack will appear fairly swiftly, but this approach will be minimally intrusive to your users.
Use a tried-and-tested comprehensive solution. PACE is the industry leader by a wide margin: https://www.paceap.com/ . They provide online licence management for you, so there’s a whole swathe of problems you no longer need to think about.
** JUCE is owned by PACE, but this post is not representative of JUCE’s or PACE’s opinions, nor is it meant to be an explicit advert for their services. I have personally released plug-ins using the first approach and made my peace with seeing a cracked version appear, disheartening though it may be. I just want to caution very strongly against implementing anything more than the minimum viable protection yourself.