Project management triangle
The project management triangle (called also the triple constraint, iron triangle and project triangle) is a model of the constraints of project management. While its origins are unclear, it has been used since at least the 1950s.[1] It contends that:
- The quality of work is constrained by the project’s budget, deadlines and scope (features).
- The project manager can trade between constraints.
- Changes in one constraint necessitate changes in others to compensate or quality will suffer.
For example, a project can be completed faster by increasing budget or cutting scope. Similarly, increasing scope may require equivalent increases in budget and schedule. Cutting budget without adjusting schedule or scope will lead to lower quality.
“Good, fast, cheap. Choose two.” and similar statements are often used to encapsulate the triangle’s constraints concisely.[2][3]
The static .htaccess access control list can be (relatively) secure and easy to implement. But it’s not going to have any features. Eg: what happens when one of your users forgets his/her password?
Using the native WordPress protection (password-protected page or private page) is easy and has basic user management features. But as you’ve said yourself, files are not protected in any way, so the level of security you need isn’t there.
If you want a solution that is secure and feature-rich (at least having WordPress’ basic user management), expect a higher level of complexity.