Best way to secure world-writable .shtml files written to by Perl?

The Perl script

I have a Perl script running on an old Debian 6 server (until I move to a new server) that opens an editable pane in an .shtml file, accepts only Creole markup input from a single user, and writes to two user-editable .shtml files and makes a backup copy of each when saving the edited .shtml file. The .shtml file permissions are 606 or -rw----rw-.

After editing, the non-tech-savvy user has to enter a password to trigger the script, and (in the unlikely event that he'd ever do this) 'script' tags come out in plain text.

Before switching servers these used to run under suEXEC (which I did not set up and don't want to use), but they now need the permissions change to run.

The writable files

The two editable .shtml files are SSI with the virtualHost block set to IncludesNoExec.

There is no .htaccess file in the user's public_html directory, the only other user only ever makes simple HTML edits and has no other knowledge, I manage the scripts in the cgi-bin above the public_html folder, and all files in the user directory are owner/group username.

My questions, taking into account the above:

1. is there anything I should beware of if the files permissions are 606/-rw----rw-?
2. what else could I do to further secure such an old Debian server for now?

I've considered changing the server port from 22 to something much higher, which I've done on another server, but for a couple of sites running on this old one I have no access as yet to their DNS or remote login settings, so it isn't yet an option. Like many people, I'm not really a server admin, but have to maintain things as my co-dev died.