First I made some test users in the Wordpress administration page:
The site uses CPanel, which can be used to get to phpMyAdmin:
I got the password hashes from the wp_users table:
I started cracking them with Hashcat, using a dictionary of the top 500,000 passworde from RockYou:
The four hashes were all cracked in about 4 minutes:
I used CPanel to open phpMyAdmin, and exported the password hashes from the users table:
Those hashes are really long, but they are just MD5 with a 16-byte salt, which is pathetic.
They crack in 1.1 seconds: