In my case, the issue was the multi-site config attribute NOBLOGREDIRECT
This had been set in wp-config.php…
// Redirect non-existent Multisite subdomain calls to www primary site
define( 'NOBLOGREDIRECT', 'http://www.example.com' );
This prevents a valid 404 appearing since it is always interpreted as a bad call to a subdomain.
There are two solutions:
- Comment it out
- As stated by @brij’s post (discovered through Google), override it:
In wp-config.php, NOBLOGREDIRECT is defined so that when someone
enters a subdomain that does not exist on your site to redirect to
whatever url you wish it to. But the bad thing is when someone tries
to access the page of domain that doesn’t exist, it redirects to
NOBLOGREDIRECT defined location instead of throwing 404. To fix it,
add following PHP code in functions.php or any related file
<?php remove_action( 'template_redirect', 'maybe_redirect_404' ); ?>