Not necessarily. You can easily put the blacklist code in one of your included files or your front controller, depending on how your site is set up. In either scenario, every request will see this code called and the undesirables redirected away. Unless, of course, they come in through a proxy of some sort.
Is every sub-directory which has an index.php need a .htaccess?
I put a .htaccess as the root directory but does not seems to be able to prevent access of some directories. Put more .htaccess at those directories seems become o.k. I found those directories seems all contain an index.php
No, an .htaccess file is supposed to be applied to every subdirectory. I'm not sure if there are Apache directives that can be changed which make .htaccess only apply to the current directory, but I've always had them apply to ancestor directories.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.