Can I ask what an ideal setup would be where the WP install is still accessible on the net somewhere to clients (eg: For content editing) that will still keep it secure and hidden from bots and crawlers while allowing WP2Static to work properly?”
What a great question!
The simplest method I prefer, is to use http basic authentication (the username/password box you’ll sometimes see popup on sites).
This is done at the server level, deeper than the application (WordPress) level, so is usually configured in your Apache, nginx or other web server software configuration.
For this use case you might also want to consider Strattic hosting; they host your WordPress website in a containerized environment that is not accessible to the public and shuts down when not in use.
Other methods to lock things down include IP address whitelisting and VPN setups.