To keep it simple, is it possible that no one can send anything from the production site to the staging site, but only from the staging site to the production site or to pull the staging from the production site?
I was thinking of a lightweight version of WP Staging that cannot send a potentially infected version to staging but can only receive it from the staging. We had the problem that a security vulnerability could create admins. They could then send the infected online version to staging, right?
