1. Whoever published this code probably took for granted that the RewriteEngine module already was enabled. You only need to enable it once.
Declaring RewriteBase is only needed if the rewrite rules you’re giving are NOT relative to the URL location of the .htaccess file. For instance if your whole site is located under /staging/ but the .htaccess is in the website root directory.
2. Now lets scrutinize the actual rewrite block:
RewriteCond %{REQUEST_URI} ^/$
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ https://yoursite.com/somepage/? [L,R=301]
In a rewrite block, you first have one or more conditions for applying the rewrite rule. If the current request doesn’t match these conditions, then the rule is skipped.
The ^ means “Start of string”, the $ is “End of string”. Line 1 just says: This rewrite rule applies only if the requested URL is for the “root page”.
The second line matches if the query string (whatever comes after a question mark) starts with “author=” followed by digits. (So this particular condition would probably not work if the attacker first added some other parameter, say … ?a=hello&author=111 ??
Then the actual rewrite happens. The first parameter is the string matching, which just says “remember everything between start and end of string so that it might be reused in the rewrite part as a variable (since it’s the first pair of parenthesis, it would be recalled as $1. Next it says: send back the code “permanently moved” (R=301) to the browser with this URL. You might actually put any URL there… The “L” means “… and stop processing .htaccess now.
For this thing to work, you’d need to have this thing BEFORE the standard rewrite rule of WordPress, otherwise the processing would never reach your rule.
Also: All your questions around .htaccess aren’t really about WordPress. In order for .htaccess to work, your server needs to be running Apache (and not, say, Nginx), and your webhost needs to have enabled use of .htaccess for its clients.
