I have been trying to block it on mod security, and of course any other security layers to stop bash been accessed easily via http, one should never rely on one layer of security only.
Also worth pointing out tho that pretty much all distro's are at least 2 patches behind, on bsd I have 4.3.27, yet debian etc. are stuck with 4.3.25 at best. on 4.3.26 and newer they disabled a lot more functions by default.