When you say it loaded before Wordpress loaded, what exactly does that mean? Was it a proxy that handled incoming requests and passed them off to Wordpress?
I imagine just including the code in index.php before the bootstrapping process actually loads up Wordpress for real. That way you could just halt the script early after noticing a funny request.
I wrote my own front controller, and used htaccess rules to direct all requests there instead of to Wordpress. If the front controller deems the request safe, it just hands off the request to Wordpress. Otherwise it quarantines uploaded files (if any), and responds with an error. Lemon squeezy.