how to make a plugin secure, so any one if changes something in plugin, it just disables it self and notify us on server?

Solution: 

  • If you encode it with ZendGuard or ionCube, it can’t be modified but will not be GPL friendly so make sure you’re OK with that. Plus it’ll need a runtime installed on server.
  • If you ship it plain source, it can be edited and the whole self-verification part can be removed or any obfuscation you do can be reversed.

Scripting languages can’t be properly protected, software either.