One sure-fire, yet simple, method is to scramble the AUTH_KEY constant in the wp-config.php file on the backup server.
In wp-config.php, change your AUTH_KEY line to append rand(). Example:
define('AUTH_KEY', 'YOUR-SUPER-SECURE-GENERATED-KEY' . rand());
On every page, the logged-in key is altered. This prevents users from staying logged in. Note: rand() is very insecure. But we’re not saving hashes, just trying to create a new value on each page load, so this should be sufficient. An attacker would need to know your AUTH_KEY (since we’re appending the random value), and this setup is focusing on preventing good users from logging in, not trying to harden security against bad users.
If a user tries to login, the login page will redirect them back to the login page indefinitely, since the cookie generated with the old AUTH_KEY is invalid each time a page is loaded.
When copying your site over every night, copy all files except wp-config.php. This may already be required for your current setup, as the connection to the failover database might have different credentials.