First problem to solve is both check_username_password and check_api_key trigger HTTP requests even if their respective settings aren’t set. ie. I’m using an API key, but we still fire off a wp_remote_get with those query variables empty!
So, ideally if $username and/or $password isn’t set, exit immediately with return false.
Same goes for check_api_key — if there is no $api_key don’t fire off the request.
Next thing to do would be to cache the results of these methods locally fox X seconds or unless the details change. That way the requests are only made every so often, and only forcibly rechecked when required.
