[Combo]

i am interested in the answers to come, i'm kind stuck there to. Have a target, run a few scans, get to know the server but, nothing seems week, tried several exploits with metasploit but nothing, even armitage fail too, the only thing left for me was, since the site was on WordPress use wpscan and go for the brute force, but gain....it takes forever, and using VPN also sometimes get stuck, i use little python from this great forum! to split large password list, so i split rockyou in like 25 lists, but still is very hard because some times its freeze so...after trying less of 20% with no success i give up here too...soooo good luck and hope we can get trough this! May add that LFI/RFI ,SQLI or XSS didn't work for me in first place!

good hunting!

Maybe they have basic security precautions in place.
Try to social engineer the admin. If you can get an email address that is.