If you don't want .htaccess then some good security through obscurity should suffice in this case. Put all templates in a folder with a long random impossible to guess name, for example "/templates_JlABWSFW1HlbghZ57GFo". Store the folder name in some configuration or constant in your application and use it whenever your scripts need to access the files. But make sure that no one - even in the admin area - ever sees the real path to the templates so don't send the folder name to the browser. If you need someone to access a template file in the browser then let them do it through a proxy php script that will authenticate the user and serve the file from the secret folder. Also, suppress any php warnings for the functions you will be using to access the secret folder because if an error occurs (for example in file_get_contents('/templates_JlABWSFW1HlbghZ57GFo/...') or fopen('/templates_JlABWSFW1HlbghZ57GFo/...'), copy(), etc. ) then php may throw a warning outputting the file path to the browser.
This should be enough for most use cases. You may rename the secret folder periodically.
As additional security you can also append some random string to each file name you store in the secret folder.