I'm not the author but lets me try to answer.
Default WordPress login is .../wp-login.php. Changing the file (php file) to something different (for example: .../login) is hard, might cause many issues, because that is the WordPress default. Also deleting the wp-login.php is not a good thing to do.
So, using .htacess the author redirect it. If anyone type:
then it will be redirect to the original WordPress login.
The problem is, what if someone (hacker) types the orignal login? The author added something called secret code:
.../wp-login.php -> not a valid login, disable it.
.../wp-login.php + secret code -> allow it to login.
I think it is good to using those trick. Because when something bad happens, we can easily edit the .htaccess file and delete the plugin folder, then we can login to the website again, this plugin doesn't make any changes in WordPress original files.