Is the traffic still occurring today? Do you mind providing the frequency of these connection requests with that similar pattern (/wp-includes/theme-compat/e5.php?...)? For example 20 different unique IP's are attempting to connect in 5 minutes?
I am not so sure that you want to mess with that traffic and re-direct it back to your homepage. I asked the Wordfence support team and they generously suggested to use the Wordfence option under the "Options" page then under "Other Options" use setting "Immediately block IP's that access these URLs" and then include the URI like the example below:
/wp-includes/theme-compat/e5.php*
Have you done any kind of scanning on your site using Wordfence just to make sure there is nothing buried beneath your site? Wordfence recommended to use these settings during the scan.
• Scan file contents for backdoors, trojans and suspicious code
• Scan file contents for backdoors, trojans and suspicious code
• Scan database for backdoors, trojans and suspicious code
• Scan files outside your WordPress installation
• Scan images and binary files as if they were executable
• Disable Code Execution for Uploads directory
• Scan theme files against repository versions for changes
• Scan plugin files against repository versions for changes
I thought this might be external scanning activity, but the different ranges of IP addresses and the URI match many of the known patterns with Cryptowall. If this is the case, there isn't exactly a way to remove your domain from their list since these are malicious users with bad intention. They might have the domain hard-coded into their malware or there is a script that scans for particular characteristic that matches with your website.
https://malwr.com/analysis/YmE4YzNmYzQ1OTBjNDAxOGFmZDRkODdhMDVkZjgyMDI/
https://www.virustotal.com/en/file/f5b3abfb3e4c1a5fba6a4e170b95d7ea7c87a398882932a467fbea78e82f36fa/analysis/
If it's possible to provide the domain, I might be able to look up a little more information and see if any AV vendors have seen your domain out there. The best thing you can do is block these requests for the time being and verify your site is completely clean.