The standard advice for testing a CAPTCHA-protected form is grim: turn the CAPTCHA off, test, turn it back on. Which means either your monitoring has a blind spot, or your spam protection has a scheduled hole in it.
Formitor refuses that trade. Over the past releases we’ve built signed-test support for every major protection layer, and the set is now complete:
- Cloudflare Turnstile
- Google reCAPTCHA v2 and v3
- hCaptcha
- CleanTalk (the anti-spam filter, not just a captcha, which made it the trickiest)
All of it works across every supported form plugin: WPForms, Contact Form 7, Elementor Forms, Fluent Forms, Ninja Forms and Gravity Forms.
How the bypass stays safe
Each Formitor test submission carries a cryptographically signed, single-use token. The plugin verifies the signature server-side and lets exactly that one request through the CAPTCHA check. Real visitors see the CAPTCHA unchanged. Bots gain nothing: without Formitor’s signature, the token is worthless.
CleanTalk was the interesting case: it could block synthetic submissions because they arrive from monitoring servers rather than a normal browser session, making perfectly healthy forms show as failing. Signed tests are now recognised and allowed through, so results reflect what real visitors experience.
The part nobody else watches
There’s a second failure mode here: the CAPTCHA itself breaking. An expired site key or a blocked script silently rejects every real visitor with “verification failed”, while the page looks perfectly healthy. Because Formitor tests through the live CAPTCHA rather than around it, that outage surfaces too. More on that: CAPTCHA failure detection.