A lot of clients seem to be using WordPress in one form or another and this can sometimes provide usernames/passwords that are used on other systems. Here is a quick script to perform dictionary based penetration testing on WordPress.
I normally use this with my own modified rockyou password list as well as the 10-k password list.
If you see something like this:
Or if they are using some other “block IP after X failed logins”, you’ll want a script to pipe everything through Tor. Or perhaps have say x tor instances running and cycle through them, updating identities every y attempts. I’ve written a script for this which can be found on my Github page.