`direct_file_access` false positives for template files

[marekdedic]

Hi, I have the following PHP file in my plugin that is meant to be directly executed:

<?php get_header(); ?>

<?php
if ( ! isUserLoggedIn() ) {
	?>
	<div class="wp-core-ui" style="text-align: center;">
		<a class="button button-primary button-hero button-skautis" href="<?php echo esc_url( getSkautisRegisterUrl() ); ?>">
			<?php esc_html_e( 'Log in with skautIS', 'skautis-integration' ); ?>
		</a>
	</div>
	<?php
} else {
	?>
	<div style="text-align: center;">
		<strong>Jste přihlášeni ve skautISu</strong>
		<br/>
		<a class="button" href="<?php echo esc_url( getSkautisLogoutUrl() ); ?>">
			<?php esc_html_e( 'Log out of skautIS', 'skautis-integration' ); ?>
		</a>
	</div>
	<?php
}
?>

<?php get_sidebar(); ?>
<?php get_footer(); ?>

This file is quite clearly meant to be directly executed, but it still gets flagged by direct_file_access.

My take would be to mark as OK any files that contain any HTML outside PHP - that only works if you directly access the file...

[umerwebdev]

The warning occurs because static analyzers require every PHP file to block direct URL access, even theme templates.
Add defined( 'ABSPATH' ) || exit; at the top to prevent direct execution and satisfy WordPress security standards.

[marekdedic]

Sorry, maybe I understood the check wrong - are you saying that putting the direct file access check in template files is intended and won't break them (I'd expect them to error out once included in the page...) Thanks!