I'm using BlueHost and have a few websites on my hosting. I decided to stop being lazy and start implementing some better security policies on my own part.
Since FTP isn't secure, I changed to SFTP. The odd thing is that BlueHost won't let me delete two of the FTP accounts on my BlueHost account. If these two accounts are never used, are they still a security risk?
The short, non-nuanced answer is "Yes". Even if the accounts are unused there is still a risk of brute force.
A longer answer would be "Yes, but you can greatly mitigate the risk". I know you said you changed to SFTP, but I'm not clear if you've disabled the FTP service completely. A good chunk of the risk here can be mitigated if you're able to (or already have) harden the server by disabling FTP.
Additionally, if these users only have the ability for FTP logon you'll further reduce the risk. It's going to be difficult to exploit FTP accounts if there is no FTP service running and the accounts can only log into FTP.
I haven't run anything on Bluehost so I don't know how much control they give you over the above.
Yes, the represent a risk. If someone managed to brute force the passwords then there may be a vulnerability in the software that allows the users to get access to files they shouldn't be able to access or even do some sort of privilege escalation and get control of the process and possibly the system. While not likely, it is possible.
If you can't disable FTP or the accounts at least make the passwords super long and complicated so that it's unlikely they'll be brute forced.
