When one server in the network detects a scanner, every server blocks it automatically. Real-time shared intelligence at firewall level.
A lightweight script on each server does all the work — no dashboards to monitor, no rules to write manually.
A lightweight script monitors your access logs for 404 scanning patterns — probes targeting wp-admin, .env files, phpMyAdmin, and known exploit paths.
The attacker IP is reported to the Threat404 central node via authenticated API. The master blocklist updates within seconds and is available to all members.
Every 15 minutes all member servers pull the updated blocklist and load it into ipset. Attackers are dropped at kernel level — before reaching your app.
No SaaS overhead, no agents, no vendor lock-in. Shell scripts and a shared blocklist.
Uses ipset and iptables to block at the kernel level. Attackers never reach nginx, Apache, or your application — zero processing overhead.
Separate blocklists and ipset rules for both address families. Modern attackers use both — so does Threat404.
Works with Apache, Nginx, OpenLiteSpeed, or any server writing standard combined log format. No server-specific plugins required.
Cron-driven pull every 15 minutes keeps all member servers current. New threats propagate to the entire network within one cycle.
Optional must-use plugin adds a threat dashboard to your WP admin — view blocked IPs, recent detections, and network stats without leaving WordPress.
Each member server has a unique API key. All submissions are verified. Private and loopback addresses are automatically rejected server-side.
Any server exposed to the internet is being scanned constantly. Threat404 turns your network into a collective defence.
Block wp-login brute force and xmlrpc attacks before they reach PHP. Includes a WP admin dashboard plugin.
One detection on any client server protects all client servers. Collective intelligence across your entire portfolio.
Stop credential stuffing and exploit scanning from reaching your application layer entirely. Zero performance impact.
Minimal footprint. No dependencies beyond bash, curl, and ipset.
# Pull master blocklist every 15 min curl https://api.threat404.cloud/blocklist.txt \ -o /tmp/blocklist_new.txt # Load into ipset (kernel firewall) while read ip; do ipset add threat404_v4 "$ip" 2>/dev/null done < /tmp/blocklist_new.txt # Attackers dropped before reaching app # ✓ 1,419 IPs currently blocked
Currently a private network. Enter your email to be notified when public access opens and receive early member pricing.
No spam. Early members get free tier access for 12 months.