Modern methods for protecting direct access to plugin files?

Is the following even still necessary, and if so, is it still the standard? Or does WordPress automatically protect plugins files from abuse nowadays?

if ( ! defined( 'ABSPATH' ) ) {     exit; } 

But, if we do still need to use it, I’m of the mind that the more secure solution is to not give the bad guys any hints at all if they’re sniffing around. That is, rather than showing an error message or white screen of death, which only verifies for them that the plugin they’re sniffing out vulnerabilities for does in fact exist on the installation, how about throwing a 404 as though it doesn’t exist at all?

The following is the closest I’ve gotten to so far:

if ( ! defined( 'ABSPATH' ) ) {     header( 'Location: 404' );     die(); } 

This is pretty good, but not completely ideal, in that even tagging a 404 onto the attempted URL like this is an irregular pattern, that gives away a clue. Otherwise, it does exactly what I want it to.

But my other attempts with combinations of:

http_response_code( 404 );

or status_header( 404 );



or wp_safe_redirect( get_stylesheet_directory_uri() . '/404.php', 404 );

or header( get_stylesheet_directory() . '/404.php' );

had no effect.

Finally, in this context, die(); vs exit;, are either of them better than the other or do they work exactly the same way here?